A “female social network” called Giggle whose operators left its user database unsecured has triggered a wave of Twitter controversy after its founder threatened to sue a UK infosec firm who pointed out the vulnerability.
Over the past few days lots of tweets have been posted on the happy and friendly microblogging website about Giggle’s security practices. While the flaw has been fixed, the way it was dealt with has caused a wave of headscratching among those British infoseccers who use Twitter.
Even for those who stay the hell away from Twitter (good on you, folks - keep that up) there are potentially some lessons to be learnt from the Giggle debacle about responsible disclosure as well as operating an app that collects and stores users' data.
It began earlier this week when Saskia Coplans of Manchester-based Digital Interruption Security signed up for Giggle. The app enforces its “female-only platform” policy by using artificial intelligence to divine, from an uploaded selfie, whether a new user is "female" or not. With data privacy concerns in mind, Coplans and fellow DI Security researcher Jay Harris started probing the Giggle app.
“We decided to look at the network traffic. It was super easy to find and exploit,” Harris told The Register. He said DI Security was able, without authentication, to pull signed-up users’ phone numbers and geographical coordinates from Giggle’s servers, adding: “During our testing we made sure we only tested between accounts we had set up so we didn’t see legitimate users’ details but we were able to verify there was a vulnerability between accounts we had set up and tested.”
Harris and Coplans decided to contact Giggle and inform the app operators of their findings, later blogging about the insecure direct object reference vuln (IDOR) they uncovered. The initial contact, however, was where things began to break down.
And then it got messy
As he described it, Harris said DI Security direct-messaged Giggle on Twitter asking to speak to someone. This request, he said, had not been answered after 24 hours, so “we sent a public Tweet to Giggle, saying can you check your DMs please, we want to discuss something with you.”
Giggle founder Sall Grover saw this differently from DI Security. She told The Register: “I am frequently attacked on Twitter but it went up a notch. So when someone Tweeted at me that there was a vulnerability in Giggle’s security, prefaced with ‘we don’t agree with your views’, I thought it was just another run of the mill Twitter attack.”
Many members of the trans community aren't fans of "gender identifying" AI, and are concerned about being misgendered, and DI Security’s Harris was open when he spoke to El Reg, explaining: “We felt it was important to distance ourselves from the product... We do a lot of work in Manchester around helping gender minorities get into cybersecurity...”
Everything degenerated from there, as Grover interpreted DI Security’s approach as an attempt to drum up business rather than a bona fide warning. Things got very heated. DI Security published a blog post (linked above) once the IDOR had been fixed.* That post prompted Grover to make unspecified threats of legal action, although she has said they were made "at a time when I still thought I was dealing with a Twitter troll."
It turned out OK in the end
It got worse as Grover interpreted large numbers of frustrated infosec people tweeting at her as a “troll attack”, with the whole thing eventually reaching the point where well-known security bod Troy Hunt, who knows a thing or two about cold-contacting companies to disclose vulns, felt the need to weigh in.
Interesting vulnerability / disclosure / fallout thread, starting with this yesterday: https://t.co/GTg3435Pav— Troy Hunt (@troyhunt) September 10, 2020
“It was more about her feeling attacked,” conceded Harris afterwards to The Register. “From us, we’re trying to protect their users… Seemed ridiculous that whole message was lost due to this.”
In a statement Giggle’s security team told The Register: “Security vulnerabilities are a very important issue. They are found from time to time and there are good people out there who help. DI are one of those guys [sic]. When anyone suggests we have a security problem we must take it seriously and investigate. If it turns out to be credible, we are gracious and appreciative.”
Grover echoed that sentiment today, saying:
This morning, I emailed Jay and Saskia and apologised to them for how the situation had exploded and said, had I known then what I know now, I would have handled the situation differently. Jay accepted my apology and apologised for notifying me in a way that could have been interpreted as a personal attack on me. We agreed that we both learned some lessons.
What are the lessons to learn from all this kerfuffle? Be civil to each other – not every single online interaction is necessarily an attack, and not all public breach notifications necessarily need a “health” warning. Infosec companies work for all manner of clients and whatever you think of the client’s views or operations, it may not be wise to advertise those in your first communications with them. ®
* Knowledgeable folk from Pen Test Partners are still discussing on Twitter whether the lat/long co-ords leak from Giggle has truly been fixed.