Hi guys.
I have a complaint to make regarding your partnership with IFIXIT.
On the first of January 2022 I identified a security vulnerability on the IFIXIT website. I can't go into details here for ethical reasons, but suffice it to say that the vulnerability is typically rated 'medium' severity and in this case, may allow a malicious third party to steal session information from a 'victims' browser. I reported the vulnerability via the email address provided in their vulnerability disclosure policy. I received no response.
On the 26th of January 2022 I followed up with 'proof of concept' pictures that I had forgotten to add in the first email. No response to this either.
On the 5th of February 2022 I sent a follow up email reminder. Still no response.
On the 9th of April 2022 I followed up again. Still no response.
I also attempted to contact them via twitter. They did respond to this. They linked me back to the disclosure policy.
This issue not only demonstrates a lack of commitment to keeping the website users safe, but I lost out on the bug bounty payment they offer in their policy.
For anyone reading this who is unfamiliar with how bad theft of session information can be. Ask Linus .
I didn't know this thread existed until today or I would have raised this sooner. I haven't checked in a while if the vulnerability still exists. At the time it affected Firefox users only from my testing.
As a security researcher, I can't share the screenshots here on ethical grounds as they clearly identify an easily reproduceable bug.
Happy to work with anyone from LMG to get this to the right people though.
r4v3rrr changed their profile photo
