Wednesday, March 28, 2012

Full disclosure of facebook bugbusters app security vulnerabilities by SANTHOSH TUPPAD

Full disclosure of facebook bugbusters app security vulnerabilities by SANTHOSH TUPPAD

A bit of overview about BugBusters

BugBusters is a facebook app launched by uTest which is a crowd-sourcing community for software testing. This game is a flash game and to look at the game or play the game please visit http://apps.facebook.com/bugsbusters/?ref=ts

This game was launched as a contest which had 3 prizes being first prize as iPad and other 2 prizes as Digital Cameras.

What happened after I discovered the security vulnerabilities?

This game was already live and I could see lot of activity from the users around the globe. Once I found this, I quickly documented the report with the necessary details which could help uTest or the development vendor to fix it.

Once the report was ready, I contacted VP of Marketing Mr. Matt Johnston and Mr. Peter Shih who is a community manager via e-mail. They responded quickly with interest to look into the details. Thanks to Matt for introducing the development company to whom I reported these bugs (The development company name is: Blonde20 – http://blonde20.com/).

Those security vulnerabilities were fixed within the same week I reported them. Thanks to Blonde20 folks for fixing it very soon. The fix was not including the details like Score, Profile ID, profile Name etc. in the POST_DATA form. Once they fixed it I tried reproducing it and could not reproduce the same however, I did not explore for more vulnerabilities for the new fix if there were any because I got busy for the BugDeBug conference and other tasks.

This is all good but, where is full disclosure? Well, I have it for you here.

I did not win the game but, at least for me I am the top most winner and have a feeling of winning billion dollars. I wish all the security testers, researchers, newbie (ethical) hackers to learn from my findings and help the web community to protect from the bad guys out there.

No comments:

Post a Comment