While I think an update to the Apache version is a good idea, this is a very low quality report. There are tons of people scanning the web looking for out-of-date software and sending low effort reports about known CVEs. This is the kind of report even large companies ignore.
Critically, it's not even clear that this is a vulnerability report. Yes the version is out dated, and yes there are known CVEs, but is the server actually vulnerable?
The CVE referenced has the key phrase: "... whose response headers are malicious or exploitable". This does not appear to be a CVE that would impact every installation. You need to find a way to control the response headers, meaning you need to chain another vulnerability.
Without verifying that the server is vulnerable this isn't a vulnerability report. It's a suggestion to install updates. Paired with the poor delivery, it seems reasonable for the author to get blocked and ignored.
>yes there are known CVEs, but is the server actually vulnerable?
I ask this question every time some security guy scans my dependencies, they never can actually determine that and I'm forced to drop everything to fix it.
Truth. A stripped down configuration of that running nothing but personally-written code on the backend would pretty much render those issues moot (as in "completely mitigated").
Considering how lacking in detail the reports were, I'd probably have just dismissed this man's claims as "AI slop". That he was relying on nmap to tell him the version of something that is easily discovered using openssl s_client (because those HTTP response headers are perfectly human-readable) is kind of telling in and of itself.
> run something like sudo apt update && sudo apt upgrade
I assume this means that the author of this post has seen the Debian version in their nmap. The latest version of which would be 2.4.65-1~deb12u1[1]. You'll notice that there is a Debian version number attached to the Apache version number which means that the version number NMAP found doesn't necessarily mean software is unpatched. I've never used Iceblock or talked to this developer but I have no doubts he's dealing with beg bounties[2], harassment, and bad faith critique of his software which the screenshotted messages look like.
EDIT: For the sake of clarity, I think I should have phrased it the other way around. Bad faith messages look like the ones the author sent. I'm not discussing the actual intention of the messages but the pattern seeking brain's reception to them.
It's pretty likely the guy blocked the author after seeing them link a blog post insulting his work, no?
Sure he should take the vulnerability report seriously, but it's pretty clear that bundling a report above the words "activism theater" isn't going to make someone want to read it.
Instead, just "hey man, you're on a vulnerable version of httpd" is likely going to be more effective.
It also barely meets the definition of "a vulnerability report". He basically just nmap scanned the server and googled the apache version. The "critical" vulnerability he linked requires controlling a backend server being reverse proxied through apache... so completely irrelevant. I didn't read every CVE for the apache version but I am doubtful there is anything that actually allows taking over the server there.
> pretty likely the guy blocked the author after seeing them link a blog post insulting his work, no?
No.
“Joshua runs two Bluesky accounts: @iceblock.app, the account of the ICEBlock app, and @joshua.stealingheather.com, Joshua's personal account. His personal account had DMs closed, but the ICEBlock account had DMs open, so [the author] sent him DMs there” about the upcoming blog post.
Joshua reacted to the blog post by blocking the author on the ICEBlock account.
When, “a few days later…[ICEBlock’s] server was still running Apache 2.4.5,” the author “decided to give [Joshua] a deadline to patch his server before [the author] publicly disclosed the vulnerability.” The author sent this deadline to Joshua’s “@joshua.stealingheather.com” account.
“An hour and a half” after the deadline was communicated, Joshua blocked the author from his personal account, too.
Also, maybe activism theater isn't so bad. I mean not everyone has the temperament or motivation that the severe activists do, and maybe just "doing something" (as long as it's harmless) raises general awareness and critical mass and eventually creates more activism.
Conflating a software vulnerability with a criticism of the overall concept is a good way to become non-credible and get both ignored
The article repeatedly claims the entire concept is mere "activism theater" yet with zero evidence or even discussion to back up the claims. In fact, this sort of app may be very effective in both helping people evade authoritarian raids and helping generate flash-mob-type protests that impede the authoritarians. Every bit of friction added to authoritarian rule improves the likelihood of successfully defeating it.
And, buried in the vague overall accusations of not liking the app, the author is stating he's using the wrong version of Apache. I missed anything about the actual good version if it was in there. And, he openly admits he has no idea if the server in question even houses any significant data.
The whole article comes off as the author being an asshat, and even more sore that he's being ignored. TBF, I'd probably ignore him too.
But yeah, it probably is a good idea to run the update sooner rather than later.
If you had read the actual article, you'd know that the headline is fitting.
He got warned, that it is an unflattering article, he got the hint with the insecure web server, he had the chance to explain himself and set things right.
It appear this app was vibe coded, has no security, now serves a lot of people, and the author is somehow thinking how to make money out of it, hence the reluctance to make the code open source
Disclaimer: UK citizen. I don’t know anything about ICE or whose side I’m “supposed to be on” politically here. I’m just responding to the details in the article. The app might as well be TodoApp.
The vulnerability couldn’t have been reported in a worse way. OP gave unreasonably short deadlines, allowed moral opinions about the software to interfere with responsible disclosure, and interspersed details about the potential vulnerability with inflamatory remarks about the mission of the product. I don't think OP's goal was actually to secure the app.
OP was going to publish a scathing blog post about ICEBlock either way, and essentially engineered a situation where the ICEBlock author had to act within unreasonable timelines. He published the original blog post an hour and a half after reporting the vulnerability. Then gave a week’s deadline before another one.
Sure, potentially the ICEBlock author also allowed feelings to interfere with upgrading the vulnerable version too.
But ICEBlock has millions of users, according to the blog post. I’m cautious about upgrading dependency versions for apps I manage with <100 internal users. In my experience, upgrades are 99% trivial, and 1% cause disastrous headaches and downtime. If I were the ICEBlock author, I would put this on a list of things to look into, and ensure that it was tested thoroughly if I did decide to upgrade. It’s not as simple as running “sudo apt upgrade”.
And I imagine that given the scale of the product, the author has incredible demands on his time, and can’t just drop everything because somebody (who has already shown themselves to be communicating rather negatively) imposes an arbitrary short deadline.
Now maybe it turns out that I’m unaware that ICEBlock is a huge net negative for the world, which is why this post has so many upvotes. But just interpreting the facts as they’re presented in the article, and substituting ICEBlock for TodoApp… I don’t see how the developer has acted unreasonably.
Yeah he's always been block happy for ANY amount of criticism. Really seems like this guy is more interested in looking like a good person for making this app.
Checking version numbers usually isn’t a good way of determining whether software on Linux is vulnerable to CVEs. Big distros (especially Red Hat derivatives) lock software versions but back port security patches. Reporting “vulnerabilities” solely based on reported version number is pure noise.
The programmer has been shown to be clueless, well maybe he has a valid reason for using outdated Apache, but to me it smells like... no he doesn't. With that level of professionalism, what other rot is there?
Just like the legendary brown M&Ms, it might be an indicator of worse stuff.
To be fair, even if he did update apache. It's running at linode. One phone call from the feds and they have what want.
Either don't collect anything useful or at least host the server somewhere where a US warrent doesn't as easily work as cutting butter with a hot knife...
The feds, absolutely. Still, there's a lot of other parties that should not have an easy way of accessing the data (if there is any - the joys of closed source implementations).
To have something that is genuinely private and would qualify for listing in the app store, options are pretty limited. I don't think they allow developers to use onion services or anything like that. You could host the server in other countries, but even in hostile countries, it's not a leap of logic to assume the NSA would have an easy time getting in there all without the worry of that pesky "legal" thing.
The author says "it might be trivial for anyone to hack your server." "Might" is doing way too much heavy lifting here. Actually, the author has no idea if there is any actual exploitable vulnerability on the server. They just Googled a version number and fired off a "vulnerability report," which "might" be worth as much as the dozens of emails I get a month about "huge vulnerabilities" related to my SPF record, or those CVEs that boil down to "if someone has root on the machine they could do something bad on the machine."
I can't help but feel that the author's motivation was to get some sort of reaction, and now they've gotten it. If this vulnerability was so vital to be patched, why would it be bundled into a "by the way" DM on Twitter along with a post heavily criticizing the app developer? Both people involved can be idiots here.
I’ve never built something like ICEBlock that puts me personally in the crosshairs of not just normal hacking attempts, but also the political will of the federal government. I can’t imagine the cess pool that is Joshua’s DMs. I think OP makes all the right assessments when examining how seriously ICEBlock is taking the risks here. The Android push notifications assertion is proof enough to make me raise a pretty big question, let alone the other issues raised.
Were I building something that I would want to assert the level of privacy claims that ICEBlock asserts, I would absolutely be taking any/all reports about security extremely seriously.
Unless I've got the timeline wrong did the author contact ICEBlock's creator about the outdated Apache version and then a few hours later post publicly about it? If that's the case I can understand why he blocked the author.
Unfortunately something like 90% of "vulnerability reports" are some guy in India running an automated scanner reporting something that isn't actually a vulnerability and demanding $1,000+. This creates a ton of noise in the system both for legitimate security researchers and the people stuck managing vulnerability disclosure programs.
This very much looks like both people involved are bad actors to each other. ICEBlock seems like a bad and potentially dangerous project led by someone not as competent as they project, despite best intentions, and Micah seems like someone who lept past incident reporting and into bludgeoning with public posts that reveal he's not as competent as he projects, despite best intentions. Hell's paving, etc.
Is this guy fishing for a job at DOGE? Otherwise I'm not sure what could explain why he's acting in pretty much the "worst practice" manner possible when doing security reports. Even stuff like the literal teens doing the Burger King (? iirc) and Monster energy reports that got posted here recently, while flawed, were still way better than this.
Me having no idea what ICEBlock was thinking that they sent laywers after the author and ignored the warnings. This isn't that but its almost. He seems to genuinely want to help people but doesn't seem to know what he is doing, especially in relation to security.
Hopefully it doesn't end up doing more harm than good
The author comes off a bit as a prick there... why didn't he just say "hey man I think you have an issue, it's there, now here's how to fix it (he didn't tell him, he just says in his blog post "it's easy"), and BTW I'm here for a video call if you want me to get through it together"
The title of the original article calling the app "activism theater" is also extremely rude. The author prefered being a prick than doing the best to fix the app.
> now here's how to fix it (he didn't tell him, he just says in his blog post "it's easy")
If you're running a service that handles sensitive user data and need a third party to tell you how to update your web server, you shouldn't be handling such data at all.
Personal data leaks from apps like this are only going to become more common (especially considering the rising popularity of "vibe coding") unless the people behind them are forced to take responsibility for their lack of security.
[+] [-] 8organicbits|6 months ago|reply
Critically, it's not even clear that this is a vulnerability report. Yes the version is out dated, and yes there are known CVEs, but is the server actually vulnerable?
The CVE referenced has the key phrase: "... whose response headers are malicious or exploitable". This does not appear to be a CVE that would impact every installation. You need to find a way to control the response headers, meaning you need to chain another vulnerability.
Without verifying that the server is vulnerable this isn't a vulnerability report. It's a suggestion to install updates. Paired with the poor delivery, it seems reasonable for the author to get blocked and ignored.
[+] [-] vips7L|6 months ago|reply
I ask this question every time some security guy scans my dependencies, they never can actually determine that and I'm forced to drop everything to fix it.
[+] [-] kayfox|6 months ago|reply
It's still a report, which should be handled with seriousness and professionalism. What that app developer did was neither.
[+] [-] evilDagmar|6 months ago|reply
Considering how lacking in detail the reports were, I'd probably have just dismissed this man's claims as "AI slop". That he was relying on nmap to tell him the version of something that is easily discovered using openssl s_client (because those HTTP response headers are perfectly human-readable) is kind of telling in and of itself.
[+] [-] DoctorOW|6 months ago|reply
I assume this means that the author of this post has seen the Debian version in their nmap. The latest version of which would be 2.4.65-1~deb12u1[1]. You'll notice that there is a Debian version number attached to the Apache version number which means that the version number NMAP found doesn't necessarily mean software is unpatched. I've never used Iceblock or talked to this developer but I have no doubts he's dealing with beg bounties[2], harassment, and bad faith critique of his software which the screenshotted messages look like.
EDIT: For the sake of clarity, I think I should have phrased it the other way around. Bad faith messages look like the ones the author sent. I'm not discussing the actual intention of the messages but the pattern seeking brain's reception to them.
[1]: https://security-tracker.debian.org/tracker/source-package/a...
[2]: https://www.troyhunt.com/beg-bounties/
[+] [-] drbscl|6 months ago|reply
Sure he should take the vulnerability report seriously, but it's pretty clear that bundling a report above the words "activism theater" isn't going to make someone want to read it.
Instead, just "hey man, you're on a vulnerable version of httpd" is likely going to be more effective.
[+] [-] thefreeman|6 months ago|reply
[+] [-] JumpCrisscross|6 months ago|reply
No.
“Joshua runs two Bluesky accounts: @iceblock.app, the account of the ICEBlock app, and @joshua.stealingheather.com, Joshua's personal account. His personal account had DMs closed, but the ICEBlock account had DMs open, so [the author] sent him DMs there” about the upcoming blog post.
Joshua reacted to the blog post by blocking the author on the ICEBlock account.
When, “a few days later…[ICEBlock’s] server was still running Apache 2.4.5,” the author “decided to give [Joshua] a deadline to patch his server before [the author] publicly disclosed the vulnerability.” The author sent this deadline to Joshua’s “@joshua.stealingheather.com” account.
“An hour and a half” after the deadline was communicated, Joshua blocked the author from his personal account, too.
[+] [-] hughw|6 months ago|reply
[+] [-] toss1|6 months ago|reply
Conflating a software vulnerability with a criticism of the overall concept is a good way to become non-credible and get both ignored
The article repeatedly claims the entire concept is mere "activism theater" yet with zero evidence or even discussion to back up the claims. In fact, this sort of app may be very effective in both helping people evade authoritarian raids and helping generate flash-mob-type protests that impede the authoritarians. Every bit of friction added to authoritarian rule improves the likelihood of successfully defeating it.
And, buried in the vague overall accusations of not liking the app, the author is stating he's using the wrong version of Apache. I missed anything about the actual good version if it was in there. And, he openly admits he has no idea if the server in question even houses any significant data.
The whole article comes off as the author being an asshat, and even more sore that he's being ignored. TBF, I'd probably ignore him too.
But yeah, it probably is a good idea to run the update sooner rather than later.
[+] [-] zhouzhao|6 months ago|reply
It appear this app was vibe coded, has no security, now serves a lot of people, and the author is somehow thinking how to make money out of it, hence the reluctance to make the code open source
[+] [-] sd9|6 months ago|reply
The vulnerability couldn’t have been reported in a worse way. OP gave unreasonably short deadlines, allowed moral opinions about the software to interfere with responsible disclosure, and interspersed details about the potential vulnerability with inflamatory remarks about the mission of the product. I don't think OP's goal was actually to secure the app.
OP was going to publish a scathing blog post about ICEBlock either way, and essentially engineered a situation where the ICEBlock author had to act within unreasonable timelines. He published the original blog post an hour and a half after reporting the vulnerability. Then gave a week’s deadline before another one.
Sure, potentially the ICEBlock author also allowed feelings to interfere with upgrading the vulnerable version too.
But ICEBlock has millions of users, according to the blog post. I’m cautious about upgrading dependency versions for apps I manage with <100 internal users. In my experience, upgrades are 99% trivial, and 1% cause disastrous headaches and downtime. If I were the ICEBlock author, I would put this on a list of things to look into, and ensure that it was tested thoroughly if I did decide to upgrade. It’s not as simple as running “sudo apt upgrade”.
And I imagine that given the scale of the product, the author has incredible demands on his time, and can’t just drop everything because somebody (who has already shown themselves to be communicating rather negatively) imposes an arbitrary short deadline.
Now maybe it turns out that I’m unaware that ICEBlock is a huge net negative for the world, which is why this post has so many upvotes. But just interpreting the facts as they’re presented in the article, and substituting ICEBlock for TodoApp… I don’t see how the developer has acted unreasonably.
Post script: I followed up and read the original blog post (https://micahflee.com/unfortunately-the-iceblock-app-is-acti...), which I largely agree with. I still think Micah has mishandled communicating the vulnerability.
[+] [-] breakpointalpha|6 months ago|reply
My employer rarely has that level of urgency, let alone a side project that is probably revenue negative!
This feels like a hit piece...
[+] [-] Zak|6 months ago|reply
[+] [-] jajuuka|6 months ago|reply
[+] [-] joemazerino|6 months ago|reply
[+] [-] invokestatic|6 months ago|reply
[+] [-] gcr|6 months ago|reply
Especially when that press doesn’t mention the specific security vulnerabilities you’re reporting to them. Here is a link to the blog post which accompanied the OP’s text: https://micahflee.com/unfortunately-the-iceblock-app-is-acti...
Is it reasonable to expect a maintainer to assume in good faith when the report is this unactionable?
[+] [-] nwroot|6 months ago|reply
[+] [-] netsharc|6 months ago|reply
Just like the legendary brown M&Ms, it might be an indicator of worse stuff.
[+] [-] sschueller|6 months ago|reply
Either don't collect anything useful or at least host the server somewhere where a US warrent doesn't as easily work as cutting butter with a hot knife...
[+] [-] NanoCoaster|6 months ago|reply
[+] [-] ashleyn|6 months ago|reply
[+] [-] scubakid|6 months ago|reply
Maybe I missed it, but was it ever established that these general vulnerabilities are actually relevant to this specific system/implementation?
[+] [-] frenchtoast8|6 months ago|reply
I can't help but feel that the author's motivation was to get some sort of reaction, and now they've gotten it. If this vulnerability was so vital to be patched, why would it be bundled into a "by the way" DM on Twitter along with a post heavily criticizing the app developer? Both people involved can be idiots here.
[+] [-] Larrikin|6 months ago|reply
[+] [-] mangoman|6 months ago|reply
Were I building something that I would want to assert the level of privacy claims that ICEBlock asserts, I would absolutely be taking any/all reports about security extremely seriously.
[+] [-] unknown|6 months ago|reply
[deleted]
[+] [-] jmuguy|6 months ago|reply
[+] [-] qwertytyyuu|6 months ago|reply
[+] [-] zhouzhao|6 months ago|reply
[+] [-] netsharc|6 months ago|reply
[+] [-] FergusArgyll|6 months ago|reply
https://micahflee.com/unfortunately-the-iceblock-app-is-acti...
[+] [-] bee_rider|6 months ago|reply
World’s biggest clickbait title backfire?
[+] [-] danielvf|6 months ago|reply
I've been burned in the long past when trying to be helpful to an activist. The accuracy of information provided was never a consideration.
[+] [-] gwbas1c|6 months ago|reply
Depends on context. When it's a knowledgeable user reporting the issue, you're right.
What I mostly encounter are for profit "security researchers" who try to profit on fear and/or misunderstanding.
[+] [-] pseudo0|6 months ago|reply
[+] [-] b8|6 months ago|reply
[+] [-] pluto_modadic|6 months ago|reply
[+] [-] starkparker|6 months ago|reply
[+] [-] jjani|6 months ago|reply
[+] [-] qwertytyyuu|6 months ago|reply
Hopefully it doesn't end up doing more harm than good
[+] [-] oulipo2|6 months ago|reply
[+] [-] kavouras|6 months ago|reply
[+] [-] bakugo|6 months ago|reply
If you're running a service that handles sensitive user data and need a third party to tell you how to update your web server, you shouldn't be handling such data at all.
Personal data leaks from apps like this are only going to become more common (especially considering the rising popularity of "vibe coding") unless the people behind them are forced to take responsibility for their lack of security.