(Redacted retransmit. Unsure if Russell received unredacted version after no response and the issue remaining unpatched. Added a note about TeamHash' low prices and implied low time.)
Hello Russell. On 24/5/20 3:00 pm, Russell Coker via luv-main wrote: > https://www.openbugbounty.org/reports/1170432/ > Is this some kind of scam? Open Bug Bounty is a service to link security researchers - "TeamHash" in India - with site operators - you. The report you've linked contains a section "For Website Operators and Owners": - "Please contact the researcher directly to get the vulnerability details. The researcher may also help you fix the vulnerability and advice on how to prevent similar issues" Clicking on 'contact the researcher' takes you to: - https://www.openbugbounty.org/researchers/Teamhash/ Which contains their contact method: - Email [email protected] > Details aren't provided, presumably they want me to pay for that. It is unexpected for them to demand any payment. Receiving rewards is considered a bonus. The group do offer paid investigations (₹999 ~= 20.12 AUD), penetration testing (₹4,999 ~= 100.67 AUD) and consulting (₹1,999 ~= 40.26 AUD). It appears that since March (COVID-19) TeamHash has been using Open Bug Bounty to reel in potential customers while some of their work may not be an option due to the lockdowns. Your next step should be to contact TeamHash by their email above to ask them what they found. **Edit**: Don't consider the above as endorsement or legitimacy. Their costs are suspiciously low; I wouldn't expect any decent analysis for this price. All of their Open Bug Bounty reports are the result of throwing all the domains they can find at an automated XSS discovery tool. On the other hand; you can't do much more than harmless checks without approval -- which may itself be questionable. Indian minimum wage for a single person is approximately ₹550 (9-10 AUD) per hour. This corresponds to less than 2 hours for paid investigations, about 9 hours for penetration testing and about 4 hours for consulting. If they are legitimate, they appear early in their career. **REDACTED VERIFICATION OF AN XSS ISSUE** As a separate issue; although your website is itself using TLS. Your resources and outgoing links do not. Consequently if you visit your website on an untrusted network (coffee shop) an attacker can replace the code from googlesyndication.com; this is just as bad for the same reasons above. Similarly, any search requests to Google are not encrypted (until Google redirects - which is too late). You just need to replace "http" with "https". The next step for a quick review is to check how well the TLS is configured. You've passed with flying colours - A+ and A+ for IPv4 and IPv6. The only improvements would be to reject weak ciphersuites. Click on the IP addresses for further information. - https://www.ssllabs.com/ssltest/analyze.html?d=www.coker.com.au James McGlashan. _______________________________________________ luv-main mailing list [email protected] https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-main
