Security Bug Hunters Could Expose Your Personal Data

A helpful citizen who returns a stash of cash found in the trash may receive a reward, but they don’t get to keep the loot. When the misplaced treasure is digital, though, the story looks different.

Las Vegas is home to many a fictional bank heist, but this week Sin City is hosting the Black Hat security conference. Dylan Ayrey, CEO of Truffle Security, and cybersecurity lawyer Whitney Merrill, data protection officer and lead privacy counsel for Asana, regaled Black Hat conference attendees with tales of errant personal data and the various entities that came to possess it, then posited ways to minimize the possibility of exposure.

The team focused specifically on bug bounty programs. In such a program, a major company like Microsoft sets up rules authorizing legitimate researchers to hack their products and services, rewarding successful hacks with cash. It sounds a bit iffy, but when the white-hat hackers find and report a bug, the company can fix it before it gets abused.


Just What Is the Problem?

“So, before we start,” said Ayrey, “raise your hand if you either run a bug bounty program or have participated in one. Hmm, maybe half the audience. For the half that did not raise your hand, you may have participated even though you don’t know it.”

“Why are we qualified to talk about this?” continued Ayrey. “I’m a security researcher and a bug hunter. I co-founded a company called Truffle Security, built on a privacy technology called TruffleHog.”

“Hi, I’m Whitney,” said Merrill. “I’m an attorney, but not your attorney. I’ve worked as in-house counsel for many years. Currently I support my team at Asana.”

“Bug bounty programs say, don’t touch data from other users,” continued Ayrey. “Only test with your own account. Don’t involve other users. This language is common; it’s in a lot of programs. So, this talk being about data privacy in bug bounty systems, we’re good! We’ve told our hackers not to touch the wrong data.”

At this point he brought up a slide with the text “Crap,” to much laughter. “Hey, Whitney, I accidentally accessed personal information. Is there anything I can do? Could I be in trouble?”

The pair launched into an amusing scripted conversation, much like any hacker might have with a legal-minded friend. They established that Ayrey’s testing script, designed to flag and screenshot any attempt to render his own data unsafely, got triggered by an administrator who accessed a whole raft of accounts unsafely. He disclosed the access, but the bounty program didn’t ask him to delete it. In any case, deletion could be tough, as the data is all over the place: a third-party scripting system, a copy on an AWS server, the copy in Gmail, his hard drive, his Time Machine backups, and the bug-tracking system, at least.

They went on to clarify that the company involved closed the ticket reporting the bug but didn’t say anything about deleting the data. In fact, Ayrey found he could open the closed ticket and access all the personal data that was included. Looking further, he could access any personal data from all his closed tickets. And other bug hunters confirmed the same experience.


It’s Hard to Talk About

For this briefing, Ayrey wanted to offer concrete examples. “Maybe some of the companies involved would let us talk about them,” said Ayrey. “That didn’t work at first, but look, there’s a bunch more researchers; maybe we’ll find some companies that let us talk. Most of these requests got denied. For the small number that approved our request, a huge shoutout! We’re not shaming them in any way for allowing transparency.

“In an example with Google, an employee was working on tens of thousands of records with a one-off program,” said Ayrey. “Because of insecure rendering, that data goes to me. I wasn’t asked to delete it, I retained access, and the company made no disclosure. That was the story until a few days ago. But after Google saw an early copy of my talk, after two years they’re changing their processes internally to ensure that data get deleted.”

Ayrey went on to detail several more examples involving, among others, Uber and Starbucks. In every case, the researcher involved wasn’t asked to delete the personal data and retained access to it in the bug bounty system. And the company involved never disclosed the exposure.

“The takeaway is that these are not one-offs,” said Ayrey. “These events are really common. For every example we can share publicly, there are a hundred we can’t. We need to start a conversation.”

He pointed out that the current system incentivizes capture of personal information. A researcher who reveals a bug with higher impact gets a higher payout, and exposing personal information is certainly higher impact. Sometimes the bounty program will even ask for proof of impact, and again, release of personal information is plenty of proof.


Safety for Researchers, Consumers, and Bug Trackers

“In a way, why should you care?” said Merrill. “Data is everywhere. Can we even get to fixing it? Well, not to perfection, but we can take incremental steps.

Recommended by Our Editors

“Let’s make some of that toxic waste less toxic,” she continued. “If you set up a bug bounty, you have to have the fundamentals first. Work with your legal team. The first time they hear about your bug bounty program should not be when you have a problem.

“Researchers, you can make progress at every step Dylan outlined,” she noted. “With third-party platforms, be aware of what data might wind up somewhere else. Delete what you can and know where you can’t. As for Gmail, this is an obvious one. It’s shocking to me. Don’t put stuff in email! Delete the email. Better, stick the data in a link and share the link, so the data itself isn’t in various email systems.”


Ethical Hacking

Even with all precautions, security research is a risky field. “Will you get sued?” queried Merrill. “There’s no clear-cut answer. In the past, the US Computer Fraud and Abuse Act(Opens in a new window) has been used against security researchers. Bug bounties operate in the idea that hacking is authorized and thus allowed under CFAA. And a new DOJ memo(Opens in a new window) says that if you’re hacking in good faith, the DOJ will not prosecute. But that line could vary. Legal issues happen when people get pissed off at each other.

“Companies, yes, you do have to notify if there’s potential harm,” she continued. “Make sure the data doesn’t persist. Ask the researcher to confirm in writing that it’s gone. Researchers, say it, don’t spray it. Don’t spray the data all over. If the company asks whether you’ve deleted it, tell the truth if you couldn’t. Bug tracking platforms, let your customers have more control. Make two-factor authentication mandatory for researcher access to your systems. And make your privacy practices clear.”

“We love bug bounties, and we love the companies that let us talk about our experience. But, might be sued if I piss a company off?” said Ayrey.

“That’s where we’re landing,” concluded Merrill.

Reading this, you’re probably not a bug hunter. You’re not in any danger of getting charged under the CFAA or sued for hacking. But it’s nice to know that those who do track bugs are starting to keep your privacy in mind. With the changes proposed in this talk, it’s less likely that those attempting to protect your private information will expose it instead.

SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.”,”first_published_at”:”2021-09-30T21:22:09.000000Z”,”published_at”:”2022-03-24T14:57:33.000000Z”,”last_published_at”:”2022-03-24T14:57:28.000000Z”,”created_at”:null,”updated_at”:”2022-03-24T14:57:33.000000Z”})” x-show=”showEmailSignUp()” class=”rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs” readability=”31.423799582463″>

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Facebook Comments Box

Hits: 0