Fallible Blog Adventures with looking under the hood

Revision in Fallible pricing

We started Fallible with the vision to help companies secure their systems from the bad guys. As such, we started with an introductory price to test the waters and get some feedback from pilot customers.

We are revising the pricing structure for Fallible, effective today. Our standard plan now comes at $1100/month and you get a discount of one month for prepaying the amount for the full year. The standard plan gives you access to our ever-expanding list of continous integration security tests every time you deploy your code and a basic support over email and phone. Apart from these, there is an option to let us manage your bug bounty program. The enterprise plan is meant for larger organizations that have stricter compliance policies and need for on-premise deployments or need dedicated support.

The revised pricing would allow us to develop the product in a much better way. Rest assured, we will keep your assets protected as before. You can always reach us at [email protected]

Launching Product Security Index

India is a country of 1.27 billion people with internet penetration somewhere around 27% at present with a healthy double digit growth rate.

Demand has always been increasing for better, cheaper and faster services but, infrastructure just wasn’t ready, until recently. With the advent of cheaper mobile devices and increasingly affordable data plans, more people than ever have access to a wide varity of national and global products. New Internet products and services are spawning almost on a daily basis in myriad different contexts to uproot the incumbents and build products that delight customers.

Yet, amidst growing exponentially and building awesome stuff, companies are often nuisanced by the threats that come along with Internet, a massive network of diverse people. In past, Customers have dealt with harassment, exposure of private data and even financial loss in the wake of security attacks. Even with such a huge expanding user base, companies that undergo such attacks are not immune to the effects of these security breaches and had led upto loss of public trust and eventual shutdown.

Keeping this in mind, we are launching Product Security Index for the common internet products and services that people use on a daily basis. We are using a wide range of parameters to calculate these strength indices and are actively working to improve on it to mirror real world impact.

There are two major takeaways from this tool:

  • For companies, this will serve as a security benchmark index to continuously improve to keep up with their peers globally and, in the process doing justice to their customers to provide with the best experience they can.
  • For consumers, this will raise awareness regarding their privacy, data protection and financial information security provided by the companies they have trusted.

This makes a great case for companies to keep the security a central point of their products and by looking at the internet giants today, definitely pays off in the long run. But, early stage companies are not well equipped to consider all the repercussions of different design choices of their products, neither can they afford to build an in-house security expert team. That’s where Fallible comes into picture.

Fallible is SaaS security company built for making the internet products and services safer, so that companies can focus on building amazing experiences for their customers and not get distracted from achieving the solution to core problem they are tackling.

Sitesh, Manish & Abhishek

Parameters used in scoring for public security dashboard

The following types of bugs were used while ranking startups and their systems for security issues. Almost all of the bugs relate to improper user input validation, lack of proper logic while implementation or not adhering to the principle of least privilege. The weightage were given according to potential impact of the bug, ease of discovery, ease of exploit and requirement of other preconditions if any for exploit. We intend to improve upon this list of parameters and scoring over time.

Authentication

  1. Oauth redirection issue
  2. OTP refresh/attempts/implementation issue
  3. Destroy all active sessions on reset password (or offer to destroy)
  4. Input validation registration data e.g. javascript:// or data://
  5. Uniqueness constraints in database (account takeover/deletion by replacing email)
  6. Expire session token after logout
  7. Expire password reset links
  8. Session/state fixation
  9. OAuth open redirect in login
  10. OAuth exposed auth token
  11. OAuth fixation attack, missing state or unqiue token
  12. Missing CSRF token auth
  13. Improper UUIDs used as tokens (http://www.ietf.org/rfc/rfc4122.txt)
  14. Invalidate OAuth token during revocation/denial
  15. Exposed Social login tokens in apps
  16. Rate limiting/captcha after retries in reset password

Multiple registration using same unique identifier e.g. mobile

Let’s look at this innocent looking User model that uses mobile number of users as it’s primary key stored in form of string.

class User(db.Model):
	mobile = db.Column(db.String, primary_key=True)
	email = db.Column(db.String(120), unique=True)

Now let’s assume it has to send the mobile number as a big integer to a service that expects mobile numbers to be big integers for sending OTPs.

func sendMessage(mobileNumber: Int64, message: String) -> Bool {
    return true
}

func sendOTP(mobileNumber: Int64) -> Bool {
    let OTP = 1000 + arc4random_uniform(8999)
    let text = "Your OTP is \(OTP) and is valid for 15 minutes"
    return sendMessage(mobileNumber, message: text)
}

What is wrong here? Maybe the code below will clear things up. This is what happens in Python when you try converting a string to integer.

>>> phone_no = "7007001234"
>>> phone_no_evil = "7007001234\n\n"
>>> int(phone_no) == int(phone_no_evil)
True
>>> phone_no == phone_no_evil
False

And, this is what happens when you try it in Swift

Screen Shot 2016-01-31 at 2.30.24 AM.png

Configuration

Secure HTTP Headers (X-XSS-Protection, X-FRAME-Options, HSTS, CSP)

The web was created to serve static pages of content. People did not think about security for all the additional features we added to it. With these features, came security issue and there have been improvements and fixes. Just use them. It is still surprising that your servers do not have these HTTP headers.

  • Secure, httponly cookies
  • SPF headers for main and marketing email domains
  • Dangling subdomain based takeover
  • SSL configuration based issues
  • Sensitive cookies without secure flag set
  • Directory traversal
  • AWS S3 buckets exposed

Credit card details or sensitive information over HTTP

It’s 2016 and yet a billion dollar startup takes credit card information for one of their products over HTTP! Dont do it. MITM attack are really easy, just go to your nearby coffee shop or Airport.

Exposed backup files over public network

We found a machine where someone had redirect stdout of history command to a file and it was exposed online. The file has a command where a login to a remote mysql server was being done using password. In another case, we found sql dumps of databases neatly stored under a directory called backups arranged by months and date.

  • File disclousure
  • Subresource Integrity
  • Public Key Pinning

Payments

  • Secret token leak in apps/API
  • Poor SDK implementation

Poor design choices

This was an actual bug we discovered in a billion dollar startup. You could pay for an order of amount X and then use the same payment id to associate it with other future orders, the only condition being that the new order amount has to be the same as specified in the payment id. This bug could allow you to place orders for the same amount multiple number of times and pay just once. Notice that there is no unique constraint on payment_id in Transaction model.

class Order(db.Model):
	id = db.Column(db.Integer, primary_key=True)
	amount = db.Column(db.Float)

class Transaction(db.Model):
	id = db.Column(db.Integer, primary_key=True)
	order_id = db.Column(db.Integer, db.ForeignKey('order.id'), unique=True)
	payment_id = db.Column(db.Integer, db.ForeignKey('paymentgateway.id'))

class PaymentGateway(db.Model):
	id = db.Column(db.Integer, primary_key=True)
	amount = db.Column(db.Float)
  • Weak salt /secret strength of provider
  • Server side data integrity verification for payment requests
  • Race condition in coupon redemption
  • Weak emunerable coupons
  • Poorly designed referral system

Authoriation & Personal data

  1. Account details leak, missing authorization token
  2. Project more data than required in API responses
  3. Order History/information leak other than personal details
  4. Working Authorization token (not only mere presence)

Other attacks

  1. CSRF/secure token expose over HTTP (possible MITM attack)
  2. CRLF Injection attack
  3. SQL Injection
  4. XSS
  5. SQL injection using cookies
  6. CSRF token checks
  7. Open Redirects
  8. CSV Excel macro injection
  9. Server side request forgery (a good writeup here)
  10. XXE /JSON based injection

Ola gave us ₹65000 ($1000) in bounties

OlaCabs (biggest competitor of Uber in India and a multi-billion dollar startup) has recently awarded a bounty of ₹65000 ($1000) and some electronic goodies for reporting a security vulnerability in one of their apps. The whole process of bug fixes on their part took around 2 months. The bug could have been exploited for monetary benefit, obtaining personal information of users and partial credit card information and transaction history. Since the bug affects a lot more number of companies where it is still not fixed, we would update the technical details later.

It is encouraging to see startups creating bug bounty program in India and actually making it work, sadly Ola is only one of the two companies we know of who have a bounty program in India (other being payTM).

How Fallible helps your startup

Startups are facing a new problem of data leak and loss of money & business. To be fair, the workload at startups is quite high. But at the same time, we cannot expect them to compromise with privacy of their customers. There are startups that deal with stuff that would be embarassing for customers if their order history is made public. Also, these leaks increase spam emails and SMSes.

Our hypotheses -

  • Startups have security bugs
  • Automated security solutions do not discover all bugs and have lot of false positives. They are decent for XSS, SQL injection check but not for logic flaws, payment check, etc.
  • Good security researchers are expensive for startups to hire. Some charge between $300-$500/hour

The evidences -

  • We discovered multiple vulnerabilites in more than 10 Indian startups in a week, each worth $100m+. Apart from these, we found several smaller startups that had bugs. We found a bug in a payment gateway/wallet service provider which is used by almost all ecommerce companies.

  • Automated vulnerability scanners would not have been useful for most of the bugs we found. For dealing with situations where the outcome would be data leaks, problems in logic flow, payments etc. you need a capable security researcher.

  • Security researchers are notoriously difficult to hire. A mere certification for pen testing does not give you enough skills. Some of the better ones charge $500/hour and would easily rake up a bill of thousands of dollars for couple of days of work.

The Solution -

We provide you an insurance against security bugs. You pay us a premium every month and we ensure that there are no bugs in your system. If an external security researcher finds a bug, we work with them and award them a bounty that would be decent even by international standards. Our solution gives you,

  • testing of systems including web & mobile clients, APIs, ops using existing and homegrown automation tools.
  • an on-premise intrusion alert system to let you know of any abnormal activity with your APIs
  • a customized bug bounty program where reputed researchers can submit bugs, we verify their reproducibility and then alert you. You can use the fallible platform to work with the researcher to get it fixed and then we pay the bounty. You do not have to pay anything except for our monthly subscription.