My first thought was, is this a scam?
There's a report number and a link, but really, who's game to click on those links. Instead, I opened the site and then drilled down using the rest of the URL. The site was legitimate, and the report let me know they'd located a vulnerability on my site and that the information would be released in due course, 30/90 days.
I then decided to download the raw logs for the site and see if there was anything in the logs that could provide a clue. There it was, near the top of the daily log. I could see the actual code they'd used to test for the vulnerability.
I'm torn between sharing the code or not, because the code really does help you identify areas on your site where you may be able to tighten up the code. But also sharing the code means anyone can use that code as a basis for malicious behaviour.
If you do receive an email from Open Bug Bounty, I'd highly recommended investigating further. Because any email could be fake and since Open Bug Bounty would issue many of these notifications, it means creating fake Open Bug Bounty emails is a path bad actors could use to attack users. For this reason, do what I did and go to the Open Bug Bounty site and then manually add the remainder of the URL to the address in the address bar. That way you won't be tricked into going to a malicious site.
Also check your raw logs and if you're lucky, you'll see the code they used and can the use that code yourself to test and improve your site.
I should also add that until now I didn't know anything about this type of vulnerability. Open Bug Bounty is testing people's websites and that means every website owner who sees their test, could also then know about the code being used and potentially use that code themselves. In effect letting more people know how to become a malicious actor. That's not a good potential outcome.
I am thankful that Open Bug Bounty checked my site, which in turn enables me to improve my site and my knowledge.
Kelvin Eldridge
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.