`` Amazon and PayPal pointed out the vulnerability of account authentication but could not be opponent, '' a security researcher reported

Technical vulnerabilities caused by software and hardware, such as

vulnerabilities in the file sharing protocol of Windows 10 and vulnerabilities related to VPN connection of the iPhone, are immediately talked about, and companies often distribute patch patches as soon as possible. Said Kevin Lee , a researcher, said companies did not cooperate in reporting account authentication vulnerabilities.

Vulnerability reporting is dysfunctional

In January 2020, Lee reported that a SIM card exchange procedure performed by a US mobile carrier was flawed, and that a ' SIM swap attack ' in which an attacker could take over a phone number or SMS was possible. At the same time, it pointed out that if the SIM swap attack succeeds, websites that use only phone numbers or SMS to verify account identities may be taken over by attackers.

Security researchers point out that there is a flaw that could leak personal information in the carrier's SIM card exchange process-GIGAZINE

After reporting the flaws in his

paper , Lee told the company that operates the attackable website about email addresses for security inquiries, HackerOne , a bug reporting platform, as well as regular customer support and Twitter direct messages. He reported the existence of the defect through various points of contact and pointed out that it needed to be fixed.

Among the 17 sites that Lee asked for fixes, Adobe, Snapchat, and eBay responded quickly, with a response saying they had completed the fix. However, Microsoft, Paypal, and Yahoo did not understand the threat, despite having demonstrated a SIM swap attack. In the case of PayPal, he said he rejected the point that 'SIM swap attack is a carrier problem, not a PayPal problem.' Lee said to PayPal's response that `` the carrier is responsible for taking over the phone number and SMS by SIM swap attack, but it is a website problem that account authentication can be done only with phone number and SMS ''. You.

Mr. Lee reported that he reported the vulnerability to HackerOne, a platform that can receive bounty for bug reports, but was not recognized as 'not a software bug'. Lee said of HackerOne

triage has questioned the system, as a result of a bug in HackerOne in the same way as Lee says, cases had been an account to spam handling, let alone receive the reward also reported have been.

Ultimately, nine of the 17 sites did not fix the flaws at the time of article creation. Websites that do not fix the flaws also include payment services such as PayPal and Venmo, where security is important.

Lee points out that companies should take reporting of vulnerabilities seriously, use a model to detect such vulnerabilities, and have a direct contact for security reports.

in Security, Posted by darkhorse_log