Myriads of words have been written on the matter of responsible (or coordinated) disclosure. Tweets, mails, posts, sites, irc chat logs, you name it. Bottom line as i see it? It’s hard. “No shit Captain Obvious” you say? You’re right. To make things even more complicated, there’s the Wassenaar arrangement and the cyberweapons addition to its list last year. And it’s not that you’re actually obliged by law to disclose to anyone if you do not want to. Is this moral? Well, that’s a whole other can of worms to deal with. But i definitely understand what @chronic says:
it absolutely blows my mind to see certain people get on a high horse about "disclosure" yet they've never found their own 0day or exploits
— Will Strafach (@chronic) July 2, 2015
Let me get this straight. This post does not involve a high quality 0day, or an awesome bug for the latest version of Magento and Firefox. It’s about bitching. Bitching on how rare common sense is. And what an oxymoron this has come to be.
More than a couple of weeks ago (48 days to be precise and i’ll come back to why i am clarifying this) i was looking into something that a less than special google query led me; As far as i can recall it was a search for an email address or a subdirectory path for a plugin in WordPress, nothing fancy at all. One of the results triggered my curiosity. A Greek site’s subdirectory, which normally should not be visible to third parties, was listed. Curious as i am, i started sleuthing. There were lots of subdirectories (and still are till the moment these lines are written), so i patiently looked in every one of them. Just to find out if everyone had screwed up worse than simply letting directory listing open, with data that no-one would bother to even look at, let alone download. And someone had.
These emails along with the names of their owners are just a fraction of what is laying around within everyone’s grasp; no SQL injection, no WordPress plugin exploits or anything exotic of that nature is involved. Which might also be the case as you’ll read later on. Some of these emails are public and widely available through common means. Some are not. And a spammer would love to have them to start with.
Probably i am not the only one to spot this, given the lack of expertise that it requires, so first think first was to try and contact the interested party, the site and the people operating it that is.
@ArtAthina2015 please follow back, i need to DM you
— Gi0 (@sitoiG) May 19, 2015
There was no reply, nor a follow back. Maybe they didn’t understand what i was asking? Let’s give it one more shot, this time in Greek, one day later. In the meantime the account was tweeting and retweeting, a solid proof that it is active.
@ArtAthina2015 παρακαλω καντε follow ωστε να μπορεσω να σας στειλω ενα προσωπικο μηνυμα.
— Gi0 (@sitoiG) May 20, 2015
Yet again, no response. Along with curious, i am also patient. Five days later, a third try, this time by email in Greek. This is from my personal email account, i disclosed my name, signed it with my PGP key and it is easily traceable back to me even if i tried to hide those details.
Again, like talking to a wall. But hey, i said i’m a patient guy. Sixth day after initial contact, one more try:
@ArtAthina2015 i'm guessing you're not interested in the email i've sent you on the 21st, right?
— Gi0 (@sitoiG) May 25, 2015
You guessed it, no response. So i made the final effort to contact them, on the 1st of June, again in Greek, making it clear that i am going to publish whatever i found regarding their site.
So, here it is. Directory listing is enabled on http://www.art-athina.gr/ and /wp-content/uploads/ folder is public, containing among other things lots of emails belonging to journalists, embassies, university professors, artists, etc. All these constitute a small treasure for those who like to start with social engineering and escalate things later, let alone common spammers looking for extra email addressees to feed to their botnets.
An .htaccess file in there or the parent folder, containing “Options -Indexes” would do the trick. Moreover a couple of simple scans of the site with WPScan and Plecost would reveal all major security problems that need to be fixed. For example their WordPress installation (3.5.1) should definitely be updated (current version 4.2.2) since there are 17 vulnerabilities waiting to be exploited, some of which like CVE-2014-9033, are pretty nasty. To top this, there are some plugins that also need to be updated for the exact same reasons
Earlier i mentioned that today is the 48th day since i first contacted them. CERT goes public after 45 days of informing the vendor. ProjectZero takes 90 days, with options to a grace-period. Considering this is not a 0day -far from it- i think 45 days for someone who doesn’t give a damn is a pretty decent timeframe.