We found a vulnerability and were pleasantly surprised by the response
As a cybersecurity professional, I come across a lot of news about scams and phishing attacks. By now, almost everyone is familiar with the Nigerian Prince and lottery-style scams. But I’ll be the first to admit that I’m a sucker for a good promotion. I wouldn’t say I go so far as to buy a magazine and clip out all of the draws, but promotions do catch my eye.
I like to think a lot of us working in security, broke into this industry because we have a desire to understand how cyber threats and vulnerabilities work. I recall when I was growing up, I would go caravanning around Australia with my grandparents, and whenever we’d stop at different campsites, there was often a games room or an arcade there. And there was usually some older kid who had figured out how to get free games by reaching their hand under the machine and flicking a button. My $2 allowance didn’t really cover games in the arcades, but it’s safe to say I spent a lot of time on those machines. It’s probably where I got my fascination with finding out how stuff works. But back to the present.
All promos are not created equal
Recently I entered a promo draw which was being run through Easypromos, a promotional platform provider. And as fate would have it, I won big - a massive $5 jackpot! My prize wouldn’t come through until the transaction was complete on my end, so I diligently kept one eye on my inbox, until *ding* the email appeared.
The email linked to a platform which asked me to enter my First Name, Last Name & confirm my email address. Upon answering those I could claim my prize, and sure enough, I soon received another email with the link to the goods. While trying to figure out how to print the prize (without a printer), I happened to glance at the URL. I wondered what would happen if I changed one of the numbers? (We cybersecurity people often have the urge to tinker with things like this.)
Finding the ghost in the URL
Changing a few number combinations in the URL showed me something surprising: I could see the various prizes that different people had won, including all their details! It appeared the service was using incremental link generation and experiencing some security issues at the time. After going through different number combinations and seeing various prizes for different people (many bigger than my humble $5), I switched hats from dollar sign Bradley to Security Bradley.
How disclosure strengthens cybersecurity
If you ever find a potential breach on the web, I’d recommend you do the right thing and disclose it responsibly. This little bug needed to be disclosed ASAP. After a little bit of cyber detective work, I reached out to the Easypromos crew who, to their credit, handled the situation like pros and fixed the vulnerability immediately. The Easypromo team takes security very seriously, and they went out of their way to make sure no harm was done.
Here are the steps they took to address the vulnerability, which you can read more about on their blog:
1. They notified their clients about the security breach
2. They applied a software update to fix the vulnerability
3. They analysed the impact
4. They logged the incident
We’re all in this together
The criminal communities we’re up against share, swap and sell their scripts and services and 0-day exploits every single day. In the security sector, we’re still bad about sharing information, especially when it comes to our own breaches. But it’s in everyone’s interest to be open about our experiences, and help each other strengthen our defences. Knowledge-sharing is the key to making this happen.
There are thousands of unsecured platforms sitting out there on the web, and sharing information is the best way to make sure any security issues are spotted and dealt with before they become a major problem. This is the nature of what we do at Get Cyber Resilient, and after our disclosure and their prompt response, I’d be happy to classify Easypromos as a cyber-resilient company. I look forward to seeing their security practice grow, and of course, trying my hand at new promos and new prizes!