It has been almost three weeks since the FBI raided the home of dental software technician and independent security researcher Justin Shafer. As best as can be determined from limited public information, Shafer’s “crime” appears to be that he downloaded files made freely available on a public and anonymous FTP server owned by a company called Patterson Dental; Shafer then notified them and some of their clients that they were exposing patients’ protected health information on that server.
The chilling effects of that raid were apparent that same day. Fearing they might suffer the same fate as Shafer—namely, facing possible charges under the Computer Fraud and Abuse Act (CFAA)—if they tried to notify companies of vulnerabilities they had discovered, other researchers dumped what would be almost 400 vulnerabilities in this reporter’s lap with a note explaining their reluctance to try to notify companies of their findings.
Concerned that she, too, might find armed FBI agents on her doorstep if she tried to notify companies of the researchers’ findings—or in court trying to protect her sources as a journalist—this reporter wondered whether she could get a company to give her some assurances before she disclosed a vulnerability to them. After reviewing the information the researchers had provided, she decided to start with GoDaddy.
Promise you won’t make trouble for me
The request to GoDaddy’s legal department on May 29 said, in part, that if I were to provide them with the information given to me if the company promised to not report my disclosure to law enforcement:
…. I am keenly aware that the FBI or government might come knocking on my door seeking more information or to even claim that I "hacked" GoDaddy in my attempt to simply determine if there was an issue I should contact GoDaddy about.
Therefore, I have decided to try this: I will give you the information they gave me about GoDaddy's serious vulnerability if GoDaddy sends me a statement (email is fine) that (1) GoDaddy understands that this information is being provided to GoDaddy by me solely to help GoDaddy and its customers, that (2) I had NOTHING to do with discovering the vulnerability, (3) GoDaddy will not seek further information from me about the identity of the researchers (who are actually anonymous/unknown to me as they've used fake accounts to contact me), (4) GoDaddy will not refer this matter to law enforcement to have law enforcement contact me, and (5) GoDaddy understands that once the vulnerability is patched, I may report on the situation.
On May 31, I received a response from GoDaddy Chief Information Security Officer (CISO) Todd Redfoot thanking me for contacting them and pointing me to their bug bounty program. But I didn’t want a bug bounty for something I didn’t find, and the vulnerability did not meet the criteria for their bug bounty program. I reiterated that I wanted assurances and only then would I provide the information the researchers had dumped on me.
By June 4, despite ongoing contacts with Redfoot and between Redfoot and GoDaddy's legal department, I still hadn’t received any assurances and had not heard from Legal directly.
In frustration, I wrote to Redfoot:
… I know YOU get this and want it dealt with promptly so you can just fix the damned problem and secure customer PII. Does LEGAL get that it's been about a week now that they've let customer data exposed to blackhats while they fuck around with just giving me some protection for relaying info?
Imagine if GoDaddy gets sued and discovery reveals that GoDaddy knew they had a problem 1 week ago and didn't patch it or address it when they could have? Now multiply that by millions of potential class-action members.
Geez... and if this is what I'm going to go through with every firm I contact with a big security hole, then I need to rethink what to do. I'm sure as heck not reinforced for trying to help.
Later that day, I received some assurances from GoDaddy:
-- We understand that you did not discover the information you intend to provide us, and that you are providing it to us so that we can take any steps necessary to secure our systems.
-- We will not seek to obtain any information from you about the identity of the researchers who provided this information to you.
-- We understand that you intend to report on this information, but that you will hold off on doing that until we confirm that any vulnerability has been patched. We'd like to review this report before it goes out, and would also like to do joint statement to help out with future reporting best practices as
-- We will work quickly to investigate the information you provide. We certainly do not plan to involve law enforcement at this point, but may involve law enforcement if we find that the vulnerability has been exploited by others and we have evidence of misuse. If the situation is one that we notify law enforcement about, we would make it clear that we received an anonymous tip brought to our attention in good faith to help GoDaddy and its customers.
The assurances weren’t ideal, but I decided to accept them so that GoDaddy could get the information and address it. I immediately sent the information and added a note that the researchers had assured me that they had not used or misused any data obtained during their research.
The vulnerability report
So what was it that the researchers had sent me about GoDaddy? Their message had described what sounded to me like a potentially serious concern:
"Take [url redacted by the Daily Dot]. These servers are the SMTP mail logging and tracking systems for Godaddy's email system.... All those servers are feeding different nodes and pipelines, and are all mail that in some manner originates, terminates or traverses any of the domains hosted on the godaddy network. If one has the bandwidth, they could scrape this data, and more if they know where to look, harvesting email account that are active, in a number around 50-100k unique addresses a minutes if all the servers could streamed."
The researchers had attached a screenshot that was the output of running a small script at a Linux prompt. That screenshot showed the time logged, origination, recipient’s email address, source IP address, and other technical data (MTA loc, scr MTA).
In addition to the url mentioned above, there were two other GoDaddy urls provided in the researchers' list as vulnerable. Both of them were also provided to GoDaddy.
GoDaddy issued the following statement in response to their investigation, attributable to Redfoot:
GoDaddy was able to fix the issue within three hours of receiving the vulnerability information. Once the issue was resolved, we conducted a thorough investigation and found that no personal identifying information, such as names and addresses, or financial information was exposed.
The vulnerability did expose system logs of email activity from our email marketing product over a seven-day period. Again, that log didn’t contain any personal identifying or financial information. Our investigation also found no evidence of parties attempting to exploit the log of system emails exposed.
On behalf of GoDaddy, thank you for sending the information to our team, which enabled us to fix the issue quickly. We remain forever vigilant in our security measures, which includes working closely with the security community to identify and resolve potential issues. That is why GoDaddy has a formal bug bounty program in place that provides researchers a quick and easy way to report bugs.
So far, and happily, this reporter has not been contacted by the FBI.
One down, 380+ to go
It took the author two weeks and about a dozen emails to make that one notification. And although this experience shows that it may be possible to negotiate some assurances, realistically speaking, the FBI’s job is to uncover the source of any hacks or nonconsensual research involving downloading of data. So might other companies turn to the FBI because they might erroneously believe I had accessed their files? Possibly, and it was a risk that might not be worth taking just to help companies to which I owed no real duty. Further, could such delays due to seeking assurances leave personal or sensitive information at continued risk in other cases? This was clearly a less than ideal approach.
During our conversations, I asked Redfoot for his thoughts on what might be a useful approach to this challenge, and we will be talking more in the future. It seems clear to this journalist and privacy advocate, however, that entities need to look at their websites to see if they provide a way for people to anonymously report vulnerabilities or security concerns. Perhaps the first part of any incident response plan needs to answer this question, “Have we created and linked to a means for people to anonymously alert us to security concerns?”
This is a suggestion I’ve been promoting for the past decade. The Federal Trade Commission also encourages businesses to have a system in place for receiving and responding to vulnerability alerts, and has taken enforcement action against two companies that did not have such systems in place (the HTC America case and the Fandango case). A bug bounty program, while helpful and admirable, will simply not be relevant for all reports and situations, creating a need to allow anonymous reporting.
But in the meantime, what to do about those other 380 issues that should be reported?
Thankfully, when I told Jigsaw Security about the situation, they stepped up to the plate and offered to send the notifications. I’m grateful for their assistance in this matter. Could their notifications be ignored or go to spam folders? Sure. Could they be accused of hacking the companies they are trying to help? Sure. They, too, have gotten “shoot the messenger” responses at times.
If your firm receives an email from Jigsaw Security, do read it. It may really be from some unknown researchers who wanted to let you know you may have a security issue, but were scared to contact you directly because of what many believe to be government overreach in the Shafer case.
Dissent Doe is the pseudonym of a privacy advocate who reports on privacy issues and data security breaches PogoWasRight.org and DataBreaches.net. Her research on breaches has fueled resources such as DataLossDB.org and InfoisBeautiful, and it has served as the basis for a number of investigations by the Federal Trade Commission.