4

Back in February, well over 90 days ago, I reported a vulnerability to a service that is leaking highly sensitive data, such as passport id, full name, date of birth and medical data. After that I have sent a few more reminders about the leakage, but it still hasn't been fixed. What are the best next steps I can take to get this fixed?

I'm aware of responsible disclosure and have found this question which seems similar. But I believe this situation is somewhat different because of the following reasons:

  • The data that is being leaked is highly sensitive, and very easy to find. Once I disclose the vulnerability publicly, the medical data from a couple million users is up for grabs.
  • The data seems to come from mostly underdeveloped countries, contacting a data protection authority doesn't seem like an option since the data doesn't come from citizens from a single country.
  • Considering how simple the exploit is, and how long this has been an issue, I'm not convinced disclosing the vulnerability publicly will make them fix it. The responses I got from them aren't too promising either.

The offending service is acting as a third party for several smaller companies. So this service is leaking the data on behalf of these smaller companies. One thing I can think of is to contact these smaller companies instead. But to be honest, they don't seem to care much about the data of their users either. So if anyone has any better ideas that'd be much appreciated.

Jespertheend
  • 143
  • 3
  • Did you give them an embargo period? – forest Jul 28 '22 at 23:57
  • In which country or state is the offending service hosted? Which company is hosting it's web service? You can use "whois" to get this information. – A. Hersean Jul 29 '22 at 07:58
  • Also, you might want to (also) ask this question on [law.SE](https://law.stackexchange.com/). Because the best course of action might be to involve the local legal authorities. – A. Hersean Jul 29 '22 at 07:59
  • @forest I wish I had, I thought 90 days was standard but realise now that I should have mentioned this in my initial message. – Jespertheend Jul 29 '22 at 09:01
  • @A.Hersean the domain is hosted by godaddy but it points at an ip address that appears to come from Germany. The correspondence emails contained some russian "писал", but I'm not sure in what country the company hosting this service is located. – Jespertheend Jul 29 '22 at 09:08
  • Maybe the [AS](https://hackertarget.com/as-ip-lookup/) could give you more information. – A. Hersean Jul 29 '22 at 09:11
  • If indeed, it is hosted in Germany, the privacy laws are pretty strong there. I would advise contacting German authorities. – A. Hersean Jul 29 '22 at 09:21
  • 1
    @A.Hersean it seems to be hosted by Hetzner, so contacting them might also be an option. Though I expect that will simply result in them switching to another hosting provider. I have already contacted the Brazilian, Mexican and Egyptian data protection authorities, since documents seem to mostly be from citizens from those countries. But who knows if they'll respond. – Jespertheend Jul 29 '22 at 09:28
  • 1
    Another easy option for you would be to send the information about this incident to a trustable press company. Some have introduced portals for sending them info on security breaches optionally anonymously. For Germany Heise publishing (home of Europe's largest IT journal) would be a good candidate which can handle security incidents in a responsible way. https://www.heise.de/investigativ/ – Robert Jul 29 '22 at 16:58
  • In which country is the company owning the offending service located? – Ángel Jul 30 '22 at 02:20
  • @Ángel The contact details on their website point to an address in the UK, but I think it functions as sort of a PO box. After some googling it seems the address is renting meeting rooms only. – Jespertheend Jul 30 '22 at 14:32
  • 1
    Even if their website only points to a renting place, that may mean the company is incorporated in the UK. You may try reporting it to UK [NCSC](https://www.ncsc.gov.uk/) or the [ICO](https://ico.org.uk/) – Ángel Aug 02 '22 at 00:47
  • @Ángel thanks! I'll try – Jespertheend Aug 02 '22 at 02:38

1 Answers1

5

As the data is highly sensitive, I recommend informing the data protection authorities in the largest affected countries (where possible) immediately. The users have to know about the incident. That's why you may also work together with large to the userbase relevant reputable media. It could get you some more attention having a journalist writing them. In return for creating a solid contact with the developers, they may write about it after the problem is resolved.

Make your intent clear throughout the entire process. You don't want to blackmail the company, you want to get this fixed as soon as possible.

PasWei
  • 722
  • 3
  • 14