A developer specializing in mobile apps for US conservatives is under fire for threatening to call the Feds on someone who reported security shortcomings in its software.
On Tuesday, a French infosec bod, going under the Mr Robot-themed pseudonym Elliot Alderson and handle fs0c131y, notified 63red that it had left hard-coded credentials in its Yelp-for-Trumpistas smartphone application, and that whoever built its backend APIs had forgotten to implement any meaningful form of authentication.
63red made headlines earlier this month when it launched the app, which lets users rate and share details of businesses that are friendly to conservatives. In particular, if a restaurant, bar, or whatever, and its patrons, don't mind you wearing a red Make America Great Again (MAGA) hat, they can be highlighted as such in 63red's app.
Alderson poked around inside the Android build of the app, and spotted a few of insecure practices, including the username and password of the programmer, and a lack of authentication on its backend APIs, allowing anyone to pull up user account information, and potentially slurp the app's entire user database. It's also possible to insert data into the backend log files, we're told.
The reaction from 63red was far from gracious. The biz responded by accusing the researcher carrying out a "politically motivated attack," and promised to report the matter to the FBI.
"We see this person’s illegal and failed attempts to access our database servers as a politically-motivated attacked, and will be reporting it to the FBI later today," 63red's statement reads. "We hope that, just as in the case of many other politically-motivated internet attacks, this perpetrator will be brought to justice, and we will pursue this matter, and all other attacks, failed or otherwise, to the utmost extent of the law."
63red described the privacy issues as a "minor problem," and noted that no user passwords were exposed nor any user data changed.
Alderson said he is not particularly worried about the threats, noting that he did not have to break into any systems nor commit any crime to see data that the developer had left out in the open.
"The FBI threat is a threat, I didn’t do anything illegal," he told The Register. "I didn’t break or hack anything. Everything was open."
Meanwhile, members of the infosec community are raking the app developer over the coals for its handling of the vulnerability report.
Looks like @fs0c131y 's research revealing a rookie security mistake of having NO authentication on an API has triggered Stage 1 & 2 in the 5 Stages of Vulnerability Response Grief https://t.co/9REgvy2x33 .— Katie Moussouris (@k8em0) March 12, 2019
Let's hope FBI educates the folks at @63red about how this really works. https://t.co/aPqsvujvop
The Register has asked 63red for further comment on the matter and an update on its communications with the FBI, but has yet to hear back at the time of publication. ®