[eli]

Well of course there have to be rules. Does spear phishing employees email accounts and using their password to access control panels count as a bug? I bet I could hack a lot of companies that way. Does being susceptible to a massive DDoS count as a bug? Cutting power to the building?

I can't speak for Prezi, but it seems like they want people to test the security of their app, but not of their employees or back office infrastructure. Maybe you disagree, but it's their bounty and I think those are fair rules.

[davorak]

A simple rule of thumb seems to be is, does it cause a problem if all the bug bounty hunters take the same approach.

Phishing employees, DDoSing definitely cause problems if a large number, or one, of bug bounty hunters take on the approach.

It seems even if all the bug bounty hunters searched for and found http://intra.prezi.com:8081, preformed google searches and tested found logins by hand, no problem would result for prezi.

So it seems like Phishing employees and DDoSing are inherently different then the approach in the post.

[fleitz]

Yes, it does. Customers do not care how the intruder got in only that they got in. Spearfishing is an attack that makes the company look dumb. Leaving the credentials for your source code on the web makes you look even dumber.

To qualify for the bug bounty he should have inserted code into their codebase and then exploited that. Fuck these guys.

[dllthomas]

Flooding communications channels (in particular, mental bandwidth of front-line employees) with attempts to spearfish is an attack that interferes with operations even when unsuccessful. It does not make sense to ask the world at large to persistently try such attacks.

This case is not like that, though.

[tantalor]

> Does spear phishing employees email accounts and using their password to access control panels count as a bug?

Yes, because those control panels should require 2FA, so password-only access is a bug.

[ars_technician]

2FA is susceptible to spear phishing if all the attacker needs is a one time login.

Remember that credentials and tokens can be relayed.

[tantalor]

Not necessarily. FIDO fixes this.

http://www.fidoalliance.org/user-experience.html

[ars_technician]

How? A phishing site can relay any of this information by acting as a client to the real site while prompting the end user for the requested credentials.

The only way FIDO could prevent this would be to make the credentials dependent on the URL in the browser, but I don't see where it does this.

[tantalor]

With FIDO, the user doesn't manually enter a 2FA token into a form field. Instead they press a button or something which directly transmits the token over SSL to the authentication server.

MITM is still possible, but there are other ways to combat that, such as TLS Channel IDs [1] or Bearer Tokens [2].

[1] http://www.google.com/intl/en/chrome/browser/privacy/whitepa... [2] http://www.browserauth.net/

[nostrademons]

Large tech companies routinely run pentest exercises against themselves that involve phishing their own employees. Good security has to include educating the human element as well: if you have great technical security but all you have to do to get in is ask an employee their password, you've lost.

Large companies also invest significantly in protection against massive DDoS and power cuts to the building, along with drills for earthquakes and zombie apocalypses.

[eli]

I wasn't trying to say those things aren't really security problems... just that they perhaps aren't things you'd want random people on the internet attempting to exploit.

[danielweber]

They also control the rate at how their own employees get phished, especially if they want the employees to report any suspicious attempts. Constant barrages from outsiders will make the employees stop reporting.