False security notice on twitter
Update: After being confronted with the details of this blog post, a retraction was posted on twitter (https://twitter.com/#!/vuln_lab/status/98858850534424576), but the security notice is still available on their website, and the description still mentions 3.0.1, even though the header has now been changed to 2.0.8. Please note that version 2.0.8 is severely out of date and was first released in mid-2009. The security notice still has all the errors below, and is still not considered valid by anyone on the bug genie team.
Hey everyone. This blog post was created to clear up any confusion around a false security notice posted by a pretend security lab on twitter. The complete security notice can be seen here: http://www.vulnerability-lab.com/get_content.php?id=45. I will explain why this security notice is false in a few seconds, but first I want to clarify something.
Real security companies looking for bugs, errors and security issues in code work closely together with vendors and projects to make sure the details are correct, and to – when possible – coordinate disclosure so that there can be a fixed version available at the time of publication. Neither of these things happened in this case, and in addition to that, there are several factual errors and inconsistencies in the report.
- The security notice claims to have found an issue in version 3.0.1. First of all, this is an old version – it was released about six months ago. We are currently at version 3.1.3.
- The security notice contains an outdated description of the bug genie. The description of the bug genie detailed in the security notice uses a project description we have not used at all in 2011. They claim it was copied from our website, when in fact this description is nowhere to be found on our website.
- The short description of the bug mentions version 2, not 3, and not 3.0.1. This is just another example of the sloppiness and unprofessionalism displayed in the report.
- The exception error code is taken from version 2, not 3 as claimed. Version 2 has been discontinued since version 3 was released. While we have released a few fixes for issues after version 3 was released, version 2 has been discontinued and has not been supported since January 31st, 2011.
- They have posted an exception message. There is no sql injection possible in the error they have described. Even if all the above was correct, there is still no security issue displayed. They have shown no proof-of-concept code. There has been no proof shown that this is a real security issue, and their recommended workaround describes the existing implementation in the claimed affected version (2-something).
Security notices like these serves no purpose. They don’t help. They don’t shed any light on anything. Whoever is behind this notice has not given us any chance to fix, confirm or deny the issue described, and no proof-of-concept code has been provided. The issue they claim to have found is not shown in their security notice.
While no software is perfect, you should not take all security notices for granted. Responsible security labs work together with vendors so a fix can be provided together with the disclosure, and in any case provides details about security issues to the vendor in question.
There is nothing to see here. Move along.