Hi guys.
I have a complaint to make regarding your partnership with IFIXIT.
On the first of January 2022 I identified a security vulnerability on the IFIXIT website. I can't go into details here for ethical reasons, but suffice it to say that the vulnerability is typically rated 'medium' severity and in this case, may allow a malicious third party to steal session information from a 'victims' browser. I reported the vulnerability via the email address provided in their vulnerability disclosure policy. I received no response.
On the 26th of January 2022 I followed up with 'proof of concept' pictures that I had forgotten to add in the first email. No response to this either.
On the 5th of February 2022 I sent a follow up email reminder. Still no response.
On the 9th of April 2022 I followed up again. Still no response.
I also attempted to contact them via twitter. They did respond to this. They linked me back to the disclosure policy.
This issue not only demonstrates a lack of commitment to keeping the website users safe, but I lost out on the bug bounty payment they offer in their policy.
For anyone reading this who is unfamiliar with how bad theft of session information can be. Ask Linus .
I didn't know this thread existed until today or I would have raised this sooner. I haven't checked in a while if the vulnerability still exists. At the time it affected Firefox users only from my testing.
As a security researcher, I can't share the screenshots here on ethical grounds as they clearly identify an easily reproduceable bug.
Happy to work with anyone from LMG to get this to the right people though.