When Good Intentions Go Unanswered: The Frustrations of Reporting an Open Redirect Vulnerability
A few weeks ago, after tinkering a bit with the url in my location bar while navigating around ziggo.nl I noticed an Open Redirect Vulnerability.
I checked for the proper procedure to report this to Ziggo, not actually expecting any reward, so the report was a really low effort one. But it was sufficent for Ziggo to assess the impact and address the issue.
I found Ziggo’s Meldpunt beveiligingslekken which contained an email address and sent them my report. After that I spend some time skimming through their Gedragscode Responsible Disclosure and noticed there might even be a reward for bugs:
Ziggo bepaalt zelfstandig of een beloning wordt toegekend. Voorwaarde hiervoor is dat er een terechte melding is gedaan met een vernieuwend en substantieel karakter binnen de voorwaarden van deze gedragscode.
So it seems Ziggo has their Responsible Disclosure procudure setup properly and is even willing to reward proper reports, which is of course comforting to know as a customer.
And who knows, I might even end up with a small rewards, but I’m not expecting much.
All of this is not really surprising: Security issues happen, friendly researchers report them and the company involved gives feedback and fixes the issue.
However, in the case of Ziggo, it’s been extremely silent.
Ziggo did not respond within their self-set 2 day response time. After 4 days I checked if they received my report and when I would get feedback and their reply was “when did you send the report? We’re on to it”
Another 24 days (!) later I informed for an update. I didn’t get a reply
Another 14 days later, I asked again, getting slightly frustrated because I didn’t feel my report was taken seriously at all. I did get a reply, a single line that the vulnerability has been reported (internally I assume) and they are working on a solution.
I tend to tinker with websites when I visit them, opening the inspector to see what calls are being made behind the scenes or sometimes changing arguments in the location bar.
This is also how I ran into an Open Redirect Vulnerability (link) on a ziggo.nl domain. An Open Redirect vulnerability allows you to redirect users to any other page, and that’s it.
So the most surprising part here is that the Responsible Disclosure page seems mostly to convey good policy and professionalism but the processes are not actually executed. Either that, or they are so overwhelmed that my simple Open Redirect Vulnerability is so low priority that it takes them more than a month and a half to come with a proper reply or acknowledgement. Or there is simply noone actively responsible for handling security issues.
|March 6||→ First report containing details and exploit|
|March 10||→ Contacted again, informing about status|
|← Received reply, asking when I made the report and informing me they were on it|
|April 3||→ Informing about status of issue|
|April 17||→ Again informing about status since no reply was received|
|← Received single line reply that issue was being addressed|
|April 22||✎ Wrote blogpost. Verified issue is still present|
|April 24||✓ Issue seems to have been fixed, redirect no longer works to unverified domains|
Summarized: it takes the Ziggo security team (if there actually is any) over 6 weeks to address and acknowledge an issue. It seems reported security issues are not taken seriously, at least not those at the severity level of an Open Redirect (which is consider medium level).
I think Ziggo could easily have been able to verify the issue within 2 days (their schedule, not mine), confirming the issue and letting me know it’s being addressed, with some time line when it would be resolved. So far they’ve been really lacking on the verifying, fixing and communication part.
I’ll wait a bit more to see if Ziggo ever gets back to me. At some point I will publish details about the Open Redirect Vulnerability regardless of if they fixed it or not.
Ziggo seems to have fixed the redirect. https://entertainment.ziggo.nl/nl/fixed?returnURL=https://www.youtube.com/watch?v=dQw4w9WgXcQ would previously redirect you to youtube, it no longer does.
I still have never heard back from the ziggo security team. No acknowledgement or an appreciative “thank you for bringing this to our attention”.
Safe to say Ziggo is not acting professionally here and living up to their own disclosure policy.