Posted in: Business newsLast update: 01/12/20
All digital platforms and solutions run the risk of encountering vulnerabilities, but the real measure of their approach to cybersecurity lies in their policy on disclosing the vulnerability to those affected.
Author’s Note: At the time of writing, this vulnerability had already been patched.
As a cybersecurity professional, I come across news about cyber scams and phishing attacks quite often, but there’s another aspect of our online world that we don’t think much about: the platforms customer promos and draws use to notify the winners and send them their prizes.
I recently entered one such draw, which was being run through Easypromos, and succeeded in winning a prize. I received an email notifying me that I had won, along with a link to a platform which asked me to enter my First Name, Last Name & confirm my email address to make my claim.
While trying to figure out how to print it, I happened to glance at the URL. I wondered what would happen if I changed one of the numbers in the URL? Doing so showed me something surprising: I could see the various prizes that different people had won and their details! It appeared the service was using incremental link generation and experiencing some security issues.
I performed a bit of reverse engineering by using free public WHOIS Tools and running a few DIG’s, and quickly found out that the platform belonged to Easypromos. The first thing I noticed on the bottom of the website was ISO27001, ISO27018 & a badge around GDPR compliance.
This was a good sign, as it shows that the company takes security seriously and invests in multiple certifications. So with the help of Dan McDermott, Mimecast’s Marketing Director and editor in chief of Get Cyber Resilient, we wrote an email to Easypromos notifying them of our findings.
Easypromos very quickly responded to us, acknowledged the breach and shared the steps they had taken to rectify it. Let’s go through the steps and unpack them.
1. Easypromos notified their clients about the detection of a security breach
This should make any security person smile. Notifying a client and not trying to hide a breach is absolutely the right thing to do. Too many companies try to hide breaches. We saw this recently with an attack on a Psycho Therapy centre in Finland where the hacker published sensitive information on patients online and effectively blackmailed the victims.
2. They applied a software update to fix the vulnerability
In defence of the original design of the promo platform, there was an authentication token that came after the URL. The key issue was that the token didn’t seem to actually be doing anything. You could simply have anything as a token, and it would still serve a page. The cyber team at Easypromos addressed this issue immediately.
3. They analyzed the impact and checked if anyone had abused the vulnerability
My guess is that it should be easy for them to determine if anyone else had abused the vulnerability. Tracking down anyone who took unfair advantage of the issue is the correct thing to do. Under Australian law, lotteries and Prize Promotions are governed under a strict set of guidelines to make sure the promotion is fair.
4. They logged the incident to learn how to avoid a similar case in the future
I haven’t seen the incident report logged by Easypromos, but for me, that’s just the cherry on top. Not only did the Easypromos team demonstrate fast communication and remediation, but they also showed a clear desire to learn from this and improve.
Sharing information is the nature of what we do at Get Cyber Resilient, and after our disclosure and Easypromos’ prompt response, I’d be happy to classify Easypromos as a cyber-resilient company. I look forward to seeing their security practice to continue to mature.
Publication date: 2020-12-01