A delicate problem

Hello, I have a bit of a problem on how to approach this and not waste my time and effort. So here is how it all started…

Few weeks ago a friend sends me his company site backup asking to keep a copy because his backup strategy is non existent. I sad fine, I’ll keep a copy but maybe you should ask for an admin account so if we need to restore we can do it with any web dev company. I asked if I can snoop around the backup and both the dev and he agreed. The thing is that the same developer is running a few websites for our parent company, and they brag about their custom CMS and having a software engineering degree instead of “self thought Wordpress drag and droppers degree”. I thought nothing of it at the time, but since hanging around this place I sort of wanted to look at it in a bit more detail.

Now, I’m no IT staff, and I’m by no means a developer, but I do dabble in PHP and automating things so very quickly I saw same (serious) problems.

1. Passwords are non-salted MD5 hashes
   There are four user accounts, one is the dev, and the other 3 are from some people who do content management, with roles “super admin”, “admin” and “user”. I managed to recover 3 out of 4 plaintext passwords in 4 different ways, Google search for MD5 reverse lookup, hashcat with dictionary attack, hashcat and mentalist with bruteforce attack, Facebook “about” page for some of the people involved (yes, 50% of the passwords are FirstnameBirthYear). The only one I couldn’t recover was the dev.
   Now what I definitely DID NOT DO is use TOR to try and log in to our parent company websites using these credentials and IT DEFINITELY DID NOT WORK . And when I didn’t do this, no one noticed a login from who knows where the exit node was.

2. There is no CSRF protection of any kind, I think. There is no 2FA of any kind, I’m sure
   Every single form has no token of any kind to make sure there is no CSRF shenanigans. I tried using CURL to send a post request to the login page, and if the credentials are wrong i get back HTML with “wrong username or password” in it. If however I POST the right login credentials i get back the login page with no errors, I assume because there is no way to create a session. So in theory I could inject an account via cross site scripting? I have no Idea how, but in theory I could, right? (done on Linode VM, not live site)

3. There is a lapse in logic when crating accounts
   When creating accounts, code will check if the user is “superadmin” or “admin” but nothing else. The problem is this info comes from the hidden form field that I can edit and put “Bugs Bunny” in if I want. In combination with adding an option of “superadmin” to HTML I was able to use “admin” account to inject a “superadmin” account. The fun part is that super admin accounts are not listed, so no one would even know about this. (done on Linode VM, not live site)

These are just some problems I tracked down within a couple of days, and I have no official computer science or software engineering training at all. How can someone claiming to be a software engineer not know about these things I picked up casually dabbling in PHP?
How do I approach this and warn my parent company about the problems, knowing them I don’t think IT people will care (or will and take 100% credit for it), and senior management won’t have any idea what I’m talking about.

I’m thinking about approaching the dev, and letting the parent company president and IT director know at the same time, and at least ask for better passwords and CSRF protections, this should be trivial to do, but I don’t know if their ego will kick in.

My dilemma is if I do something about this, I’ll be damned if someone elese gets pay bump for it, and on the other hand there is a serious potential of getting hacked f I just leave it alone.

Man, I have met several programmers and software engineers and they don’t know the first thing about security. My degree program is Cybersecurity and networking and it is a completely different ball game. This dude sounds like an asshat that is a little too full of himself and his work shows it. -End of Rant

I would def tell the IT director unless you just don’t give a shit about your company. I don’t think that there is a way for you to benefit form this other than maybe telling the president directly? If you are worried about peoples egos then that is probably 90% of why your company has security issues. Idk, man. Seems like quite the sticky situation.

Do not worry about computer science degrees and seniority here. Any programming team worth their salt knows degrees and seniority matter very little in this field, what matters is results, the state of the codebase, and the customers. If you think there is a problem, then report it - first to your team, and then decide upon actions together.

At the end of the day, you and your coworkers are a team, and cooperation takes both the team and you a lot further than competition does. Sure, someone might get a pay raise by profiting on your work, on the other hand it’s much more likely you’ll be switching your job within a year or two, and that will in all honesty bump your pay a lot more.

I know, and I do care about the company and the people who use those websites, but maybe I should have said it before - this is not the first time I’m doing their job for them, but this would be the first time that I’m doing it in such an elaborate way.

My team is 4 people who develop and build tools (like physical tools, die cutter knifes, gluers and stuff) for the factory floor. On the outside we look like four guys with a laptop and reciprocating saws, drills, bendy sharp things, screws and so on… so what do we know about technology - right. However, we have automated a lot of manual setup in manufacturing halving the machine setup times, we can do predictive tool maintenance by analyzing manufacturing output data, and past tool maintenance logs, all by dabbling in PHP and Python in a safe “we know our limitations” way. Our paychecks have more than tippled in 6-7 years, so I really like it here, but I can’t stand seeing these problems unresolved, unlike the other 3 guys on my team who only care about our performance and manufacturing output.

Thank you for the suggestions, I’m sorry, I’m just venting at this point… I’ll probably just talk to IT and try and do something about it.

Just for info, the friend is in the same company/group of companies?

And did he get you an admin account for the site he is responsible for?
Or did he entrust you with His admin login?

This does sound interesting, if only for ability-vs-authorisation.
Looks like the brief was cold storage, as a favour, but authorisation given to tinker with company property?

I don’t imagine there will be bad blowback on you for looking/poking, but looks bad for their op-sec, on to of the actual flaws you spotted.

Just wondering if his solution to share with you/your team is any better than just buying a few external HDD’s for encrypted backup…

As his solution is to share it with a colleague, not sure they would listen to the unexpected security audit that you gave them…

Tell them for sure, but don’t be surprised if they don’t fix. And if you prefer your job anyway, why not let your mate gain glory/pay rise for your effort?
You could ask a one off consultant fee, but it doesn’t look like they asked for it, so might get a bit annoyed/troubled?

Or, maybe look at asking them for a job, but you might not like the full time job they have to do?

Degrees dont mean shit. And this isnt exclusive to IT. I have a degree in business computing, but I don’t know much about Webservers. I do not pretend I do.

But sometimes jobs and CVs converge into rather unfortunate constellations. And as long as the ship is sailing and not sinking, nobody cares about the leaking water downstairs.

This is very common and I’ve seen this “dark sewer” in multiple industries from CEOs down to interns, throughout my career. Interesting, but daily business in most companies I’ve worked with.

The friend who sent me the backup has no idea how to use almost any tech. Email, and printing docs is the bast he can do. He is not a part of our group of companies, just a single self employed man. His website has nothing to do with us, coincidentally just the same developer he probably hired after seeing them work for my parent company.

Essentially yes - I’m the guy with a redundant NAS at home with about 200 megs allocated to his stuff.

He didn’t actually get the admin account (yet, we expect it one of these days), or even had an account, but did get the OK to poke around, just not allowed to resell or reuse for any website other than his.

The developer is really proud of their “Custom CMS”, but they did reuse passwords for presumably all clients, so when I DIDN’T try logging in to our company website, it DIDN’T WORK AT ALL.

Code flaws are shared between all clients (prominently featured on their website by the way), no question about it.

Gotcha.
And makes sense that the dev would do the same mistakes all the time, hopefully through ignorance.
Presumably he has a few clients, and for sure needs to know, in order to fix.
Even if your company drops him, others are vulnerable…

I don’t know your corporate structure, but like Ucav suggested, have a word with management.
and if nothing happens in a reasonable time, then start sending emails.
Don’t be surprised if the implications are not realised by normie management, and they keep using the dev, as long as he changes up

Your company should be doing annual pen tests.

This keeps everyone honest and forces everyone to take security more seriously.

If your company hasn’t already done a pen test with this software, request one.

Companies are usually only focused on what the widget does, security is the afterthought for most of them.

If this software is going to be used to hold customer data of any kind then its going to break several laws lol.

And if they don’t bite, fire back with, “no one will buy this software while they know it is this insecure”. If it affects their bottom line they will move mountians.

If the rot spreads deep, try to get upper management to start a few security courses?

Most people shift foot when they learn that just doing a few, non-intrusive practices will save you and your company/customers $$$$$$$$$$$$$$ by introducing damage mitigation strategies.

I personally would take the team, have a couple of security workshops to make them understand ransomware attacks will cost them and their customers and just in general train the team to spot these things and mitigate them. If you have another team in the company that focuses on security, take advantage of that and ask for a knowledge exchange.

Above all, be transparent that no-one is at fault here, you’re not looking for a scapegoat you are looking for a way to improve your products and mitigate company risk.

Yes, but how do they know that if you don´t tell them? ^^

Security is deffinitely an easy place to skimp on if your customer does not know how to validate it. Though, in this case I’d say it’s probably just incompence because the step up from hashing a password to hashing+salting it should be like 5 minutes of work. Not to mention that MD5 hashes are not exactly suitable for passwords these days. There is a standard PHP function called password_hash it uses bcrypt. The dev should be using that one not MD5.

Does it return any token of some sort? You don’t necessarily need a session to provide a login mechanism. You can store user information in validateable tokens (like jwt) without holding state on the server side that you cannot replicate unless you know the secret or certificate the server is using to create those tokens. But just the fact that it returns the login page without errors does not tell you how it authenticates. I’d look at what’s sent with requests after login (Authenticate Headers) if there is no such thing look if there is a cookie. If there is no such thing either you probably got a problem.

The news, for their inevitable data breach being plastered on every outlet.

Possible, but I for one never heard news of breaches with a grand total of 4 users in the database.

Maybe, I’m reading the wrong news.

They could get sued for

Not sure that would make it to the news though. It sounds too little (in size) to really report on it in a big way.

The credential for the 4 user site, is the same as the larger company.

And presumably all the other companies the dev worked with.

or, the same style, which is why vivante was worried?

I’m not sure, that is a bit above my “skill” level, as far as I can tell it’s a session cookie that authenticates the user, but I don’t know 100% for the rest of the mechanism, and I already tore down the VM so I can’t snoop around more for now.

These are just users who administer the sites, there is some user data too as there are mailing lists at least. Other than user data, there are other possibilities such as distributing malware, defacing - take your pick.

However I look at it it’s just plain bad with a potential for a lot of problems down the line.

Does not really say to much though, because cookies could be anything. It’s just something to store stuff in that gets sent with every request automagically (so you have to look whats inside and how it gets validated). You can set them to not be editable by javascript code, you can create them from the frontend or the backend and they can contain completely arbitrary nonsense to something that is meaningful for authentication.

Based on

the cookie might very well be “role=superadmin”.

It sounds like you guys really need to hold a couple of security workshops with an outside expert. See if you can find a resource internally, perhaps at the IT department. Failing that see if you can hire an expert for a few days. It might be time to start working with a more professional software firm / department, too.

Don’t bother next time. Figuring out they’re non salted hashes is good enough, also MD5 anywhere is a red flag.

Proper CSRF requires some token that’s either a signed nonce or has fully encrypted payload uniquely tying the form submission endpoint (any mutable or non-public API) to the page that’s intended to send the request.

Look at Elmer, you shouldn’t mess with Bugs Bunny, obviously creds should come from session cookies.

What about CSP?

Ok , so there’s four bugs and they’re easily fixable, you should figure out how to best help your friend. (e.g. is there a better CMS vendor they can use, can /you/ patch up the app for your friend?)

I don’t really know anything about security, not my area of expertise, security landscape also often changes.

Re specific situations, in companies and business stuff rolls downhill, always. Use that to your advantage, take care of your friend, and ask to reach out to relevant people
Send a short email, using your work mail address:
If there’s no head of IT or security in parent company, ask to find them

Hi John,
We haven’t met before, I work in such-and-such with so-and-so group

I’m somewhat of a computer security enthusiast as well, and through happenstance, (helping a close personal friend not related to the company), I got to look at some source code for a web system parent-company-name seems to be using.

I had a quick look at the code and have some serious concerns about quality and very specifically and especially security.

I would like to help ensure we’re not vulnerable too.

Who would be the best person to reach out to for a quick meeting, with more detail?

Thank you for your time,

Also, if they delegate this to someone else, remember to circle back and report that the issue was fixed with somebody-somebody on the same thread, and thank them again. (to reinforce good behavior on their own potentially twisted C-level psyche … or just to say nice words… …or to claim your prize…your choice of perspective ).

Re degrees:

Building products is hard and 1 degree typically doesn’t cover both coding 101/102, algorithms and data structures and databases and software project management, distributed systems, applied crypto and security, and business and marketing at the same time. (maybe postgrad at MIT or Stanford these days, I’m not keeping up). The trend is to partition these programmes into more manageable pieces and let folks choose what to specialize in.

Then they (one man shop developers) need to keep up with all of those to stay competitive - and that’s hard – so they cut corners somewhere and in this case it seems security. I wouldn’t read too much into the douchiness if any (could be advertising facade they project), and would focus on problem at hand / product , instead.

Usually people who run their own business-es realize this is all hard at some point and start working together with others and that’s ok.

Good luck.