Mildly off topic but I don't care: I'll never forget the time I was invited as an early developer for the Palm Pre. At the time Palm's website was horrendously bad security and usability wise.
While waiting for their website to accept my upload I was poking around and decided to see what I could get into. I found that the addresses were something like /user/<sequential id> so I wondered "could I look at another user's page by changing the ID? Na, no way that would work"...but it did work. In fact I was able to see and theoretically control app submissions for all 500 developers at the time. This set of pages even included tax IDs.
So I immediately went to Palm and told them about the issue and how to reproduce. After about two weeks they finally reported that the issue was fixed...except it wasn't. What they did was change the way the pages were accessed from a standard GET with the ID in the URL to using JavaScript to accomplish the same thing but kinda sorta hide the ID (so basically fetch content via JavaScript versus page loading via direct browsing). So naturally I was able to change the ID and still get in.
It would take them another month to finally fix this issue. I was never able to convince them to let developers know their tax IDs may have been exposed along with all of their other information. I did get a special mention in one of their release notes but they spelled my name wrong :(
I signed up for the Firebase beta in February 2013 using a unique email address and got a phishing mail to that address in September 2013.
I reported this fact to [email protected] but never got a reply. I guess they preferred to sweep the theft of their customer database under the carpet.
We once used a third-party service (the name eludes me now) to handle our customer mailing list, and of course they got hacked, so everyone who used unique email address + extensions blamed us for selling their addresses to spammers. They only acknowledged the hack in a "we're investigating this"-type blog post, and 6 months laters they revamped their blog and the post mysteriously disappeared...
This is awesome, and exactly the right way to go about things (reporting things privately, telling people when there's a good outcome). It's good to see so many HN companies handling their side of the issues so well too.
EDIT: Just for curiosity's sake, how many HN companies have you tried to hack? 24 successes (not counting HN as a company) out of every company that's been through the accelerator would indicate HN companies are unusually good at websec. Conversely, if you've only tried to hack 24 and you've had 24 successes, that would indicate something else.
I was targeting YC company, I just filtered my success with YC companies.
With bug bounties there are many cases of duplicate issues or they are aware of issue internally. That count as failure for me but not to the companies.
I did my first conference talk[0] on this, and also have a similar list.
Security consulting is expensive and the value just isn't there at all for early stage companies. It's why I think Owasp top 10 should be required reading for founders.
As for my conference talk, the delivery was atrocious (warning if you choose to watch). I spent 5 minutes per startup and churned through hundreds. I didn't name names because there were too many bugs to report after a day or two of doing it.
I agree with you that early stage companies generally do not have much utility in security consulting due to its expense, but unfortunately "crowdsourced security" is not yet a viable replacement.
Once a company has enough funding that it has left the "early stage" point, there is almost no reason not to engage with security firms. This doesn't mean pay a firm $20,000 for a week or two of work, it means find the highest quality you can afford.
My own firm works with YC companies all the time and they are generally very happy with the work I do. I think it really comes down to what you offer. If you charge an unreasonable amount, have pushy salespeople, inflate the findings in your report or just view your job as handing off a report and demanding a bill, you're doing it wrong and not contributing value.
On the other hand, fairly priced security consulting with an eye towards developer education and working with the company to resolve their vulnerabilities contributes a lot of value. More security firms should try to help companies improve their security in the SDLC.
I do hope crowdsourcing security improves. I think it could be better, but it isn't yet. The results in my experience are mixed - for every bounty hunter who finds vulnerabilities you have another nine who just spam for pity findings on Hackerone and Bugcrowd. Most of the successful bounty hunters eventually just open up their own consulting shops or take very lucrative jobs with top companies like Google or Facebook.
I do wish there was a middle ground. I don't think it's fair for security consultants to work for free (which very often happens with bug bounties, even if they are very good). However, I really don't like how inflated the pricing has become at the largest security firms, which appears to be a side effect of having account managers, project managers, salespeople, "solutions architects" and finally the consultants themselves on each engagement.
The general case is that you are taking input from an untrusted source and later displaying it. You need to do two things: validate that it is the kind of data you are expecting, and scrub it of entities that might be a problem.
You can't do either one of these on the browser side because a bad actor can pretend to be your code and submit it without the checks. (For good clients, you can run a check that prevents them from making simple mistakes. You can't trust that, though.)
Validating that you have a correctly formatted URL is not too hard. You can even request the URL to make sure that it's reachable. But that doesn't tell you anything about the content, because evil people can't be trusted to turn on the evil flag in their packets. The safest case is to drop all submissions with IDNs; the next safest is to compile a list of homographs and drop anything with those; after that, you might keep a blacklist (which, unfortunately, can grow without reasonable bounds). You can outsource the blacklisting to centralized services checked via HTTPS API or DNS RBL or...
I found a bug in your page! The link to the Gitlab acknowledgements page isn't right (not sure what the correct link should be). Let me know what my bounty will be ;)
I believe you are referring to the original title: "List of Y Combinator companies I have worked with(hacked)" (I had the same feeling when I opened the page).
However, the author is a security researcher and has indeed hacked (as in, disclosed vulnerabilities) the companies in question, so I thing the title is not ambiguous.
I don't think anything he found could come close to bankrupting any of the companies... but I agree he should be receiving a more significant award, even if the companies don't have a bug bounty program yet.
Most of them are early stage, most of them just can't trust a random email,Some of them want to save money for facebook ADs. That's how startups work these days.
[+] [-] BinaryIdiot|10 years ago|reply
While waiting for their website to accept my upload I was poking around and decided to see what I could get into. I found that the addresses were something like /user/<sequential id> so I wondered "could I look at another user's page by changing the ID? Na, no way that would work"...but it did work. In fact I was able to see and theoretically control app submissions for all 500 developers at the time. This set of pages even included tax IDs.
So I immediately went to Palm and told them about the issue and how to reproduce. After about two weeks they finally reported that the issue was fixed...except it wasn't. What they did was change the way the pages were accessed from a standard GET with the ID in the URL to using JavaScript to accomplish the same thing but kinda sorta hide the ID (so basically fetch content via JavaScript versus page loading via direct browsing). So naturally I was able to change the ID and still get in.
It would take them another month to finally fix this issue. I was never able to convince them to let developers know their tax IDs may have been exposed along with all of their other information. I did get a special mention in one of their release notes but they spelled my name wrong :(
[+] [-] introvertmac|10 years ago|reply
[+] [-] Tepix|10 years ago|reply
I reported this fact to [email protected] but never got a reply. I guess they preferred to sweep the theft of their customer database under the carpet.
[+] [-] kalleboo|10 years ago|reply
[+] [-] introvertmac|10 years ago|reply
[+] [-] onion2k|10 years ago|reply
EDIT: Just for curiosity's sake, how many HN companies have you tried to hack? 24 successes (not counting HN as a company) out of every company that's been through the accelerator would indicate HN companies are unusually good at websec. Conversely, if you've only tried to hack 24 and you've had 24 successes, that would indicate something else.
[+] [-] fulafel|10 years ago|reply
(Or maybe he explicitly asked only for t-shirts?)
[+] [-] introvertmac|10 years ago|reply
With bug bounties there are many cases of duplicate issues or they are aware of issue internally. That count as failure for me but not to the companies.
[+] [-] introvertmac|10 years ago|reply
And yes YC companies are best to work with
[+] [-] armabiz|10 years ago|reply
Do you want a T-shirt?
[+] [-] introvertmac|10 years ago|reply
[+] [-] ejcx|10 years ago|reply
Security consulting is expensive and the value just isn't there at all for early stage companies. It's why I think Owasp top 10 should be required reading for founders.
As for my conference talk, the delivery was atrocious (warning if you choose to watch). I spent 5 minutes per startup and churned through hundreds. I didn't name names because there were too many bugs to report after a day or two of doing it.
[0] - https://www.youtube.com/watch?v=wzrVYyouQTk
[+] [-] dsacco|10 years ago|reply
Once a company has enough funding that it has left the "early stage" point, there is almost no reason not to engage with security firms. This doesn't mean pay a firm $20,000 for a week or two of work, it means find the highest quality you can afford.
My own firm works with YC companies all the time and they are generally very happy with the work I do. I think it really comes down to what you offer. If you charge an unreasonable amount, have pushy salespeople, inflate the findings in your report or just view your job as handing off a report and demanding a bill, you're doing it wrong and not contributing value.
On the other hand, fairly priced security consulting with an eye towards developer education and working with the company to resolve their vulnerabilities contributes a lot of value. More security firms should try to help companies improve their security in the SDLC.
I do hope crowdsourcing security improves. I think it could be better, but it isn't yet. The results in my experience are mixed - for every bounty hunter who finds vulnerabilities you have another nine who just spam for pity findings on Hackerone and Bugcrowd. Most of the successful bounty hunters eventually just open up their own consulting shops or take very lucrative jobs with top companies like Google or Facebook.
I do wish there was a middle ground. I don't think it's fair for security consultants to work for free (which very often happens with bug bounties, even if they are very good). However, I really don't like how inflated the pricing has become at the largest security firms, which appears to be a side effect of having account managers, project managers, salespeople, "solutions architects" and finally the consultants themselves on each engagement.
[+] [-] misiti3780|10 years ago|reply
[+] [-] icpmacdo|10 years ago|reply
[+] [-] introvertmac|10 years ago|reply
[+] [-] zappo2938|10 years ago|reply
1. https://en.wikipedia.org/wiki/IDN_homograph_attack
[+] [-] introvertmac|10 years ago|reply
[+] [-] Sir_Cmpwn|10 years ago|reply
>The site name display for stories was vulnerable to an IDN homograph attack.
How is that sort of thing mitigated?
[+] [-] dsr_|10 years ago|reply
You can't do either one of these on the browser side because a bad actor can pretend to be your code and submit it without the checks. (For good clients, you can run a check that prevents them from making simple mistakes. You can't trust that, though.)
Validating that you have a correctly formatted URL is not too hard. You can even request the URL to make sure that it's reachable. But that doesn't tell you anything about the content, because evil people can't be trusted to turn on the evil flag in their packets. The safest case is to drop all submissions with IDNs; the next safest is to compile a list of homographs and drop anything with those; after that, you might keep a blacklist (which, unfortunately, can grow without reasonable bounds). You can outsource the blacklisting to centralized services checked via HTTPS API or DNS RBL or...
[+] [-] pfg|10 years ago|reply
[1]: https://en.wikipedia.org/wiki/Punycode
[+] [-] willthames|10 years ago|reply
[+] [-] introvertmac|10 years ago|reply
BTW you can have free invisible hug and a big thank you :)
[+] [-] hellbanner|10 years ago|reply
[+] [-] introvertmac|10 years ago|reply
[+] [-] aagat|10 years ago|reply
The reward does seem a bit thrifty as others have pointed out. Keep up the good work.
[+] [-] andrea_s|10 years ago|reply
[+] [-] JD557|10 years ago|reply
However, the author is a security researcher and has indeed hacked (as in, disclosed vulnerabilities) the companies in question, so I thing the title is not ambiguous.
[+] [-] introvertmac|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] meowface|10 years ago|reply
[+] [-] introvertmac|10 years ago|reply
[+] [-] enigmabomb|10 years ago|reply
I hope they fit.
[+] [-] introvertmac|10 years ago|reply
[+] [-] Uptrenda|10 years ago|reply
[+] [-] introvertmac|10 years ago|reply
[+] [-] Pizzalover|10 years ago|reply
[deleted]
[+] [-] ibnudaruaji|10 years ago|reply
[deleted]
[+] [-] introvertmac|10 years ago|reply
[+] [-] raju64522|10 years ago|reply
[deleted]