Are there any consequences for exposing your users to vulnerabilities?

twitter logo github logo ・1 min read

You might have heard about this Zoom vulnerability which can turn your webcam into Chat Roulette.

👉 Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!

My question is: Do companies typically face true consequences for these mistakes? Every software development team makes mistakes, but some organizations are faster and looser with customer safety than others.

It seems like this kind of thing typically results in a blip in the stock price, but then things pretty much chug along like usual. Missed earnings seem to be the only true harm a company can endure.

twitter logo DISCUSS (18)
markdown guide
 

I don't know about US but these kind of vulnerabilities have serious consequences under the European GDPR regulation. As far as I can tell Zoom is handling the case very poorly. GDPR applies to every company worldwide making business with european customers. I don't want to be mean but I sincerely hope Zoom the company will get the "attention" it deserves.

 

As I write this, Zoom's stock price is basically unaffected. 0.56% change is basically normal trading fluctuation.

 

My guess is not enough non-technical people are aware of it yet.

Side note, if you didn't read the article about the vulnerability, run the following to kill the web server that Zoom runs on your Mac.

# Kill Zoom Web Server
pkill "ZoomOpener"; rm -rf ~/.zoomus; touch ~/.zoomus && chmod 000 ~/.zoomus;

pkill "RingCentralOpener"; rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 000 ~/.ringcentralopener;
 

Thanks for pointing this out. Is there any way to confirm if it was successfully killed?
I'm not so agile with the command line yet, and there was no confirmation of any sort, only a brief pause after running the command. Do you know where any files would be stored, to go and see if anything is still there?

I'm glad I physically cover my camera with a sticker; you never really know if even well-meaning apps are watching you.

After running those commands, run lsof -i :19421 and it should return nothing.

Forgot to mention that once you do this, any time you click a Zoom meeting link, it will no longer launch. All you need to do is copy the meeting ID in the URL and manually open Zoom and then paste the meeting ID in to start the meeting.

I don’t mind; I wasn’t planning on using it again (ever). I thought I had uninstalled it months ago, because I only really used it once or twice.
And either way I’d rather copy-paste a number or use a different service, than have an open invitation to my camera and microphone.

Thanks again for going into detail on this, I hope others will benefit from these comments too 😊

 

Apparently not.

Equifax was hammered immediately after their breach, but now their price has all but recovered.

Ultimately, somebody has to prove damages, and until you can litigate off of have i been pwned this stuff will keep happening with no repercussions.

 

As a former pentester, I would say companies do not spend too much on focusing on security (even some of them just rely ONLY on posting bounties on HackerOne)...

Cuz it's 1000x easier to "find one vulnerability" (from a pentester point of view) than "covering all vulnerabilities" (from a developer point of view).

It just costs a lot more to hire pentesters than just wait to discover it later and mitigate.

Yes, there will be consequences, but they're just temporary (as we saw with Facebook).

Ah, I didn't mention that those consequences are just a side-effect of growing too big

 

If pentesting and compliance/auditing cost more than the value at risk from a breach then most organizations will choose to roll the dice. So either we make security cheaper or the consequences more expensive if we want change.

 

It definitely doesn't feel, as a user, that companies have any sort of consequences. People still use the products, genuine apologies aren't made, and nothing is done for the affected users. It sucks.

 

Of course they are many ways company can have consequences.

Depending the location of the service there are laws to respect, GDPR, PDPA, etc.

Take british airways: theverge.com/2019/7/8/20685830/bri...

Or eben look at Marriott: thehackernews.com/2019/07/marriott...

You then also have the case of terms and condition. If a company has breached their terms and condition through poor practices or not fixing vulnerabilities it is subject to users going to court.

 

In my mind there should probably be fines for this sort of thing that are evaluated against if the company was needlessly reckless, similar to what is going on with Boeing right now. Even with pentesting and code reviews and strict testing things like this may still happen. What we need is to subject it to the same legal precedents makers of physical products are. If the company was found negligent in it's build it should be fined accordingly.

The more interesting conversation around this is how this works internationally. The problem is, on the world stage, with laws being different in every country, you really cannot subject an outside entity to your laws effectively without being able to shut them down. Countries would have to have control of the internet to be able to shut down a non-compliant foreign entity. For instance Mark Zuckerberg can turn up his nose at GDPR and not show up to court proceedings since he is safe inside the US.

I don't believe I'd want to create a world where violating a law like GDPR outside of my home state could mean extradition and trial anywhere else. This creates a situation where any country could put anyone on trial for any violation. While many consider GDPR a good thing, you can easily imagine this growing into a black mirror like scenario where countries with archaic laws start trying to try people in their own countries for laws that would never exist in another (my thoughts go to social media and violations of modesty laws).

In general we've never quite had a tool this vast and this open before. With physical products, you can just halt shipment into the country at customs, there isn't such a concept when it comes to the internet. This could lead to more diversity of tools though. For instance I might choose to use a video technology from a European based company knowing they are subject to stricter laws and scrutiny. In this sense GDPR becomes a great comparative advantage. Right now I don't see enough research into the tools that we use in general, just which one performs better, or which one is cheaper--maybe things like this open the conversation up to "would this company be held accountable if something horrific happened legally?"

 

There's brand risk but I feel like in today's day and age people are pretty inured to constant revelations of something being exposed. Even if you're doing constant security/pentesting engagements everything just moves too fast. People are constantly trading off security with the value of the service.

 

Tavis Ormandy from the Google Zero team used to do this thing where he would report a terrible 0 day vulnerability. Once it had become public, typically the share price would drop, and at that point he would buy some. Once the shares got back up to the pre-zero day price, he’d sell again and make a profit.

He was doing it to make the same point really-he was frustrated that it would only be a few weeks for the stock price to get back to normal.

ICO can now fine companies up to 4% of their turnover for GDPR breaches. I think BA being fined £183million is the first example of a meaningful fine.

 

I wouldn't directly tie instant stock price to drama.

The damage done will get priced in over time if enough investors find out.

It rarely immediately drops (unless a giant storm).

You can:

fcc.gov/consumers/guides/complaint...
"The FCC may act only when it has received documented evidence, such as testimony from persons who have direct personal knowledge of an intentional falsification of the news. Without such documented evidence, the FCC generally cannot intervene."

or FTC
ftc.gov/faq

Depending on the type of problem.

Also, I have a feeling companies are not going to get away with this stuff as much/ more punished.

 

For a second, I thought this was Ben's fun way of suggesting DEV had just found a huge vulnerability…

Classic DEV Post from Jul 13

Building A Career In Tech As A Newbie

Ben Halpern profile image
A Canadian software developer who thinks he’s funny.
Join dev.to