Bug Hunters

[Ludy87]

I was just testing something in the API and discovered a vulnerability.

#24

[eirikgrindevoll]

Disclose it to them First i guess is common practise. Ask from HA community if they would be kind to also let us have more the 2 admin 👍🏻😀

[Ludy87]

that would be blackmail :P

[eirikgrindevoll]

Hehe I didnt mean that.

[Ludy87]

There is no answer from German support, I tried it before I wrote the integration.🤔

[BigFriendlyDuck]

Nah. Disclose in a secure manner and give time to fix.

[BigFriendlyDuck]

They got a bountyprogram. :D

https://www.xplora.com/bountyprogram/bountyprogram.html

[Ludy87]

They support bug hunters and forbid ways and means to disclose the vulnerabilities. And reserve the right to suspend the account.

It's a shame for me to write something like this.

[BigFriendlyDuck]

I hadn't read the full T&A - I just searched and found it.

Reading it now, and in my opinion it's not unfair rules..
They wish to have the time to fix the vulnerabilities before you published they to avoid abuse.
And from what I understand, they reserve the right to disable your access to the bounty-program if you don't play by the rules.

[Ludy87]

Three days passed and no response from Xplora.

[eirikgrindevoll]

Not interested before media writes about it?

[Ludy87]

looks like I'll run my script, when it's done in a few days I'll have all the evidence for sure.

[Ludy87]

Zero-Day

Xplora hasn't managed to answer me briefly to this day.

So I will tell you that Xplora has an interface that makes it possible to check all phone numbers and email addresses if they are registered. If a positive message comes up, the password can now be found using a brute-force attack.
If it's a parent account, you know what can be done.

[Ludy87]

https://github.com/Ludy87/pyxplora_api#other

[BigFriendlyDuck]

From your description I wouldn't classify it as a bug, but as bad design.
Ideally, the reply should say something like "Username and/or password does not exist." if either of them is wrong to avoid the scenario listed above.
Unfortunately this would make it harder for users who has forgot their username, and my guess is that most users of the Xplora-service isn't tech-savvys, so it could cause a lot of extra support-calls to handle for Xplora. (So it's a Cost/Benefit-calculation, really.)
Maybe they should implement a rate- and max-limit? A maximum of 6 tries per minute and 24 tries per IP per day, for example. My guess is that would stop most automated systems at least.