58

I received an email to techsupport@websitename.com (pretty generic email) saying that there was a security flaw in my website etc. etc

My initial reaction was that this was a scam. (How/why did they find our site.)

However, they didn't seem to be looking for money (so far) and they also had emailed it from a gmail account (which seemed off to me, spam is usually sent from weird domains) - also google marked it as important.

The overall writing is clearly not well educated, but it isn't as bad as they usually are.

The email address also seemed like a gamer addresses (some weird name and a few digits)

This is the email:

Hello,

I have found a Web Application Vulnerability [XSS] in 'websitename.com' which can lead an attacker to perform unauthenticated tasks like account takeovers and other malicious stuffs like web defacement (your site), port scanning through your servers to other servers on internet or may use your website to spread Ransomware, and this bug is needed to be fixed as fast as possible.

Being a responsible security researcher, I m sending this mail directly to you without making the bug public, so if you are concerned about your website's security and want detailed information and Proof-of-Concept of this bug, please contact me on my mail - email@gmail.com

Would be happy to know - do you provide any rewards (bug bounty) / swag as token of appreciation for reporting bugs ?

Thank you,

-(Foreign sounding) Name

Italics have been changed for privacy

Question:

Is this a typical things that scammers would do?

If so what are they trying to gain, what would be (if any) the risks of replying to the email requesting some more information.

On the other hand, if it is in fact a legit "responsible security researcher" what kind of questions should I ask to find out.

Welz
  • 695
  • 2
  • 6
  • 10
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/73274/discussion-on-question-by-welz-email-received-regarding-security-flaw-in-website). – Rory Alsop Feb 16 '18 at 21:41

7 Answers7

102

TL;DR: It's probably well-intentioned and not a scam, but just poorly written.

I don't know of any kind of scam that would be based on this. Certainly there have been attempts to extort website owners for money based on knowledge of website vulnerabilities (and the implicit threat to exploit them), but that doesn't look like the case here.

It's not a very well-written disclosure email. I've certainly stumbled across vulnerabilities before (obviously, attempting to exploit them on a site that hasn't given permission would be illegal, but there are some that can be obvious without attempting exploitation), and sent emails with the same intent as the author above, but I try to provide all the detail in the first email. I want to help. I don't want to bounce back and forth in email land.

If it were me, I would ask them for details: what page (or pages) contain the vulnerabilities, which parameters are injectable, and whether they could share a proof of concept. If you're not familiar with XSS, I recommend reading the OWASP page on the vulnerability. It's both very common and can be critical, depending on the context. A typical proof of concept (PoC) for XSS won't be dangerous to you or your site, but will do something like pop up a javascript alert box containing the hostname of the site, your session cookes, or even just the number 1. Any of those show that a malicious attacker could be running Javascript on your site, which would have significant implications for your site security.

As some have pointed out, it's also possible the lack of information is them playing it "cagey" will looking for a reward/payment. Obviously, if your site does not have a published bug bounty, you're under no obligation to do so.

David
  • 15,814
  • 3
  • 48
  • 73
  • 7
    Yeah, this is just someone looking for work. – Stephan Bijzitter Jan 21 '18 at 19:53
  • 26
    I can see at least one reason for not giving details in the first email. If you're hoping to get a reward, you would want to get them to agree to it before sending the information. If you just send it all in one shot you could easily fear that they might just fix it without ever compensating or even acknowledging you for your help. (And if this seems selfish, I think you have to consider that most people would be more motivated to find/report bugs after being rewarded for previous ones... even if that reward only happened because the company was unable to avoid it.) – user541686 Jan 21 '18 at 23:07
  • 9
    @Mehrdad That's very true. I read about this one guy who found a million-dollar bug in Facebook and they weaseled out of paying him by saying because he managed privilege escalation (which the bug bounty program said nothing against, and found a bigger underlying bug), he violated their bug bounty TOS. – Dessa Simpson Jan 22 '18 at 15:30
  • 3
    @DuncanXSimpson, talk about weasels! Reason #1,232,135 to never trust FaceBook. – NH. Jan 22 '18 at 21:48
  • 3
    A proof of concept might also call `console.log`, which requires some familiarity with browser dev tools to view the result of. – jpmc26 Jan 22 '18 at 22:39
  • 1
    Not giving out all details may just be a way to determine whether anyone looked at it (without having to attempt to exploit the website), by forcing the relevant tech from the company to contact him, instead of sending the exploitation details (which may help tagging the email as spam, too) to the generic contacts he was probably using attempting to reach the company. – Ángel Jan 23 '18 at 23:08
  • The scam is, "here is the patch, just paste it in the body tags", which actually is the XSS... – trognanders Jan 24 '18 at 06:55
  • @BaileyS That seems more like SE than XSS (since it's not cross-site). – forest Jan 24 '18 at 13:34
36

Does not appear to be a scam, though it might be a type of mass-mailing due to lack of details. Maybe some guy needs money, runs Nessus on a bunch of sites and is now angling for a small reward from each?

I'd run Nessus (or some other scanner) myself to check, then contact the guy and ask for details. Truthfully answer his question about bug rewards. If you run a bug reward program and he found one, he should get his reward, that's what the program is for, right? If you don't, simply explain that you don't, but are anyway grateful for his heads-up.

Tom
  • 10,124
  • 18
  • 51
18

This is called fear marketing or fear appeal. It's a marketing method that uses fear as the trigger for action.

https://en.wikipedia.org/wiki/Fear_appeal

The email contains the 3 basic stages of fear appeal.

  1. present a risk.
  2. present a vulnerability to the risk.
  3. suggest a protective action.

It is generally considered unethical.

I'm only pointing this aspact out, because the email is an unsolicited attempt to get a response using fear. It's the fact that the sender completely left out the details of what the issue is. You have to contact them to get a response, and they've already stated that they expect a token of appreciation.

When a scammer is fishing for victims they must first qualify a list of possible targets. His/her scam involves fear as a trigger to action, and if you respond you than qualify as a person who reacts to fear tactics.

It's likely they will escalate the seriousness of the problem until a trade can be made for details about the security flaw. He/she will most likely request payment by bitcoin for the information.

A true professional security consultant would have provided full contact details, mailing address and phone number of their consulting services. They also would have mentioned the benefits of their services. Where as, this email only mentions the risk of not responding.

The best approach to handling this email is to contact a creditable security consultant, and hire them to investigate the claims.

Reactgular
  • 320
  • 1
  • 6
  • 6
    While a professional security consultant may do that, what about an amateur who is getting their foot in the door? They're playing around with XSS and find a site that is vulnerable, so they decide to try to get their name out there a bit by sending an email. That sounds more likely than this being a scam, as a scam tends to be at least slightly more threatening or exaggerates the risk of the vulnerability from the get-go. – forest Jan 23 '18 at 03:12
  • 3
    +1. Considering they haven't disclosed anything (leaving the OP exposed) and already talking about a reward, I would certainly hire someone else to investigate. What kind of quality is to be expected from an unethical person anyway? – Dmitry Grigoryev Jan 23 '18 at 08:35
  • 7
    The writing style of the mail makes it clear this is not a professional consultant. It could be an amateur hoping for a small reward, maybe someone from a 2nd or 3rd world country where a few Euros are real money. – Tom Jan 23 '18 at 09:21
  • 1
    +1 This was my immediate reaction; it is obvious they are A. trying to scare OP, and B. looking for a payout. That's scam emailing 101. Stop contacting this shady individual and find someone trustworthy. – wavemode Jan 23 '18 at 17:26
6

It doesn't have to be a scam, but I wouldn't trust the person who contacted you anyway:

  • they declare having found a vulnerability but don't present a slightest proof
  • they say it's bad enough for you to be at risk but choose to leave you exposed until you contact them
  • they ask about a reward before delivering anything

Clearly, you don't want to entrust your online security to those people. If you let them help you with this vulnerability, they will know much more about your system than they do now. If you ever decide you don't need their services, how do you know the next vulnerability they find will not end up on exploits market?

If you website has commercial value, I would definitely ask for help from security experts at you company, perhaps your hosting provider, or even hire someone more credible to do a security audit.

Dmitry Grigoryev
  • 10,072
  • 1
  • 26
  • 56
4

A similar email was sent to one of my clients claiming they had an SSL vulnerability, with an offer to fix. This client does not use SSL, so in that case it was an obvious scam. There are several emails of this type floating around.

John
  • 51
  • 1
  • 3
    The fact that the client doesn't use SSL is perhaps a vulnerability in itself, but it is difficult to have flaws in the implementation of something you haven't implemented. – pwdst Jan 23 '18 at 16:12
2

I think that the best approach would be to reply back asking if the person who wrote the email has any means of showing that he really does have the ability to gain excessive access to your Internet service.

You could give him permission to exploit your service for non destructive demonstration purposes only, since it's generally considered to be illegal unauthorized access for him to do this even if it doesn't harm anything. After his attack is successful you can talk business.

The law regarding unauthorized access to a computer service in the USA is very vague, does not consider harm done or intent to do harm, and can technically be applied to nearly anything. This may be stopping him from demonstrating his attack even though it would seem like reasonable thing to do.

Alex Cannon
  • 402
  • 2
  • 7
0

run a scan on your site and find out for yourself. XSS problems are very common. You can get OSSIM, which is free, and includes OPENVAS, a vulnerability scanner. You can run OSSIM in Virtualbox, or another Virtualization system. Then scan your website's public IP and you'll get a full report.

JetJaguar
  • 1
  • This doesn't really answer the question regarding the particular email OP received. You are answering the question as if he was just asking "how do I know if I'm vulnerable to XSS?", which of course was not what was asked. – forest Jan 24 '18 at 13:36