Even a cursory look at past stories we've done about how companies treat security researchers who point out the trash-state of their products would reveal that entirely too many people and companies seem to think shooting the messenger is the best response. I have never understood the impulse to take people who are essentially stress-testing your software for free, ultimately pointing out how the product could be safer than it is, and then threatening those people with legal action or law enforcement. But, then, much of the world makes little sense to me.
Such as why a Yelp-for-MAGA people should ever be a thing. But it absolutely is a thing, with conservative news site 63red.com releasing a mobile app that is essentially a Yelp-clone, but with the twist that its chief purpose is to let other Trump supporters know how likely they are to be derided when visiting a restaurant. This is an understandable impulse, I suppose, given the nature of politics in 2019 America, though the need for an app seems like overkill. Regardless, the app was released and a security researcher found roughly all the security holes in it.
On Tuesday, a French infosec bod, going under the Mr Robot-themed pseudonym Elliot Alderson and handle fs0c131y, notified 63red that it had left hard-coded credentials in its Yelp-for-Trumpistas smartphone application, and that whoever built its backend APIs had forgotten to implement any meaningful form of authentication.
Alderson poked around inside the Android build of the app, and spotted a few of insecure practices, including the username and password of the programmer, and a lack of authentication on its backend APIs, allowing anyone to pull up user account information, and potentially slurp the app's entire user database. It's also possible to insert data into the backend log files, we're told.
In other words, what 63red meant to build was an app to let Trump supporters know where they can go to feel safe. What it actually built was an app that tried to do that, but instead exposed user information to anyone who wanted to mine for it or, say, build a list of Trump supporters for reasons that could be entirely nefarious. Not great.
Nor was the reaction from 63red, which decided that Alderson pointing out its shoddy work warranted a threat to refer him to the FBI, AKA the Deep State.
"We see this person’s illegal and failed attempts to access our database servers as a politically-motivated attacked, and will be reporting it to the FBI later today," 63red's statement reads. "We hope that, just as in the case of many other politically-motivated internet attacks, this perpetrator will be brought to justice, and we will pursue this matter, and all other attacks, failed or otherwise, to the utmost extent of the law."
63red described the privacy issues as a "minor problem," and noted that no user passwords were exposed nor any user data changed.
For his part, Alderson took the threat of an FBI referral in full stride. Far from quaking in his boots, he simply pointed out that 63red's security was so non-existent that he didn't need to commit any crimes to do what he did.
"The FBI threat is a threat, I didn’t do anything illegal," he told The Register. "I didn’t break or hack anything. Everything was open."
And now this whole story is getting far greater coverage due to the threat than it would have had 63red simply, you know, secured their app based on the freely given information provided by a white hat security researcher.
I'm sure the folks using this app couldn't feel more safe.
Filed Under: donald trump, maga, reviews, security, threatsCompanies: 63red