4.5 months ago I told a "HIPAA compliant" telemedicine company they were vulnerable to cross-site scripting. if a user is authenticated; + session hijacking. telemed is interesting in COVID times.
Can you guess if they fixed either vuln yet?
#appsec #infosec #HIPAA #nobodycares
Can you guess if they fixed either vuln yet?
#appsec #infosec #HIPAA #nobodycares
So, it's been more than six months now. This is why CVEs and reporting directly to vendors is pointless and soul crushing. @Bugcrowd is pointless too if you're not interested in money for reports. Reference this current thread and
https://twitter.com/amr00t/status/1202072636336902144
Here are some fun prints of what
#infosec is. Note, the second DM was really fast and did follow through to put me in contact with the right person. thank you twitter person #2. It fizzled out though after that at no fault of person #2.
#infosec is. Note, the second DM was really fast and did follow through to put me in contact with the right person. thank you twitter person #2. It fizzled out though after that at no fault of person #2.
Checked today and guess what? Multiple sites that use this SaaS are vulnerable to Cross-site Scripting and Session Hijacking. I did no real testing, just very basic stuff to confirm if it's still vulnerable. Imagine if they did a real test?
Why don't I put them on blast? Because, there are thousands of people using Telemedicine right now due to COVID and everything else going on. I believe it will only put my family, friends, and general public at risk if I do.
So what will I do next. I guess just report them to @USCERT_gov and see what happens. I do believe this is a #HIPAA violation anyway.
Stay safe everyone. Try not to lose your shi when trying to fix all of the things. #nobodycares :(
8 months now; Session Hijacking & Cross-site Scripting reported. Can be used to compromise Protected Health Information (PHI).
Rather than showing impact and ending up on @DarknetDiaries 😅 I will report to @USCERT_gov this week. I will try to doc the process & post for others.
Rather than showing impact and ending up on @DarknetDiaries 😅 I will report to @USCERT_gov this week. I will try to doc the process & post for others.
Today is the 1 yr anniversary of informing a company & some of the insurance providers that use them that they have multiple vulnerabilities such as Cross-site Scripting & Session Hijacking. I didn't want to put them on blast because of the major uptick in virtual DR visits.
I never did end up going to @USCERT_gov because I just don't have the energy or time anymore. As a matter a fact, I've blown off so many vulns due to not having the energy to chase these companies down month, after month, after month.
I'm not even trying to hack. Some of it is just so bad that you can't miss it or un-see it. You just feel like they should know for them and the people that use their products. Especially, healthcare, etc.
Because of that, I'm changing how I personally define responsible disclosure. In the past I would notify, give plenty of time to fix it, i would help them fix it if needed (for free), and then i would coordinate public disclosure in some cases. it's just freaking exhausting.
New process:
1. Notify of vulnerability.
2. Provide plenty of evidence.
3. Disclose after 90 days fixed or not.
I will not argue if something is a vulnerability or not. If it's not, who cares if it's disclosed.
1. Notify of vulnerability.
2. Provide plenty of evidence.
3. Disclose after 90 days fixed or not.
I will not argue if something is a vulnerability or not. If it's not, who cares if it's disclosed.
I will not use 3rd parties such as Bugcrowd. They will not help hide the truth. I'm not trying to get paid when I inform companies about vulnerabilities. I am telling them so they can protect their users, myself, and for their own good.
@MDLIVEInc was the start of this thread.
@Cigna, who use's MDLive's "HIPAA" compliant service for "24/7 Access to Board Certified Doctors" was also notified. The conversations you see in this thread are with them.
@Cigna, who use's MDLive's "HIPAA" compliant service for "24/7 Access to Board Certified Doctors" was also notified. The conversations you see in this thread are with them.
Here is a very basic example of XSS in @MDLIVEInc and @Cigna's sites. There's more. They were notified of 8-12 months ago:
members.mdlive.com/login?flash=In…<img%20src=/%20onerror=alert(document.cookie)>n
mdliveforcigna.com/login?flash=In…<img%20src=/%20onerror=alert(document.cookie)>n
members.mdlive.com/login?flash=In…<img%20src=/%20onerror=alert(document.cookie)>n
mdliveforcigna.com/login?flash=In…<img%20src=/%20onerror=alert(document.cookie)>n
Just to close this threat out for now: some of the mentioned vulnerabilities were quickly remediated after this last post. Specifically, the XSS. Thank you.
https://twitter.com/amr00t/status/1383475528376537097
@threadreaderapp
unroll
unroll
• • •
Missing some Tweet in this thread? You can try to
force a refresh
