63red Safe's Backend API Leaks Users' Data
It seems that the more we urge people to be tolerant towards each other, the more they refuse to do it. Indeed, it's not unusual to hear people complain about being discriminated based on anything from skin color to political beliefs. According to some conservatives in the US, they are treated unfairly so often, that they need an app to tell them which businesses are tolerant towards people with their political views. The application is called 63red Safe, and as the name suggests, its idea is to keep MAGA-merchandize-wearing individuals safe. What it definitely doesn't do, however, is keep its users' data safe.
Yelp for conservatives
63red Safe's concept is pretty similar to Yelp's. Users create accounts, visit different places, and tell other users about their experience. Instead of rating businesses based on the quality of the service they provide, however, 63red Safe labels them as "Safe" or "Not Safe" depending on the owners' attitude towards Trump supporters and firearms.
An insecure API exposes users' data
@fs0c131y is the Twitter handle of a security researcher who seems to be particularly interested in applications aimed at conservatives. A few months ago, he found a vulnerability in Donald Daters, a dating platform for people who share Donald Trump's views. He was able to download the entire user database which included, among other things, names, profile pictures, and private messages.
After 63red Safe's launch, @fs0c131y decided to download the new app and see if it has a similar hole. Almost immediately, he found the login credentials of Scott Wallace, 63red Safe's developer, hardcoded into the app. After some more digging around, he was able to locate the API endpoints the application uses to send and receive data. The backend API was not protected by any form of authentication meaning that extracting information was easy.
The exposed details included usernames, emails, profile pictures, profile creation dates, etc. @fs0c131y said that he could also block users and insert logs in the database. According to the researcher, 63red Safe had just under 4,500 users at the time, and downloading all their information was as easy as making 36 requests to the unprotected API.
The question of vulnerability disclosure takes center stage again
63red, the company that developed 63red Safe, has taken the application offline and has promised that all security issues will be fixed which is good news. What's not so good is the way the whole thing unfolded.
Normally, when researchers find a vulnerability or a data leak, they privately contact the affected organization, share the information, and help with a solution. @fs0c131y didn't contact 63red and instead posted his findings on Twitter. The developers weren't given a chance to patch the leak, and the details became immediately available for everyone with an internet connection.
Publicly reporting vulnerabilities through social media does happen when the affected organization refuses to cooperate or ignores researchers' attempts to get in touch. In this case, however, 63red didn't ignore @fs0c131y because he never contacted the vendor in the first place. ZDNet covered the story and asked him why he had taken this particular approach. His response was "Let's say I don't really like Trump fans".
Potentially exposing the personal data of thousands of individuals just because they support a particular political figure does raise a few questions around @fs0c131y's disclosure. That being said, 63red's response wasn't exactly exemplary, either.
Instead of coming up with a clear statement on what had gone wrong, they published a Medium post and did two things. First, they tried to downplay the vulnerability, saying that only a "small amount of information" had been exposed and that no passwords were compromised. Then, they went on to blow the problem completely out of proportion and claimed that @fs0c131y's research is a "politically-motivated attack" and that he will be "brought to justice".
It's fair to say that both researchers and online service providers can learn a valuable lesson from all this. They can learn what not to do when they're dealing with a security issue.