
Ask HN: I know how to reset any Nexmo.com account, but nobody cares - sebiw
Nexmo.com provides messaging and voice solutions, such as SMS gateway functionality, and has prominent customers like Airbnb. On May I found a serious security vulnerability on their website that enables anyone to reset the password of any account on Nexmo.com by knowing the accounts email address and thus to take over an account and see what SMS messages were sent by the account, happily use credits of the account, et cetera.<p>I tried to figure out how to contact them about the security vulnerability, they don&#x27;t have a dedicated site about security nor how security researchers can contact them, like Github and many others have (https:&#x2F;&#x2F;help.github.com&#x2F;articles&#x2F;github-security&#x2F;). Which make me think about how important security is to that company, but anyway.<p>So I ended up writing to their general-purpose support email address describing that I&#x27;ve found a highly severe security vulnerability related to password resets and would like to get in touch with someone from their IT security department or similar. And here&#x27;s what they replied:<p>&quot;Thanks for your email - this challenge has finished already, but we appreciate you contacting us.&quot;<p>Wait ... this &quot;challenge&quot; has finished already? What the serious f<i></i>*?!<p>So I replied and explained to them that my inquiry isn&#x27;t about a &quot;challenge&quot; but a serious security hole on their site.<p>Finally, it seemed that they understood what I wanted and they replied with the following:<p>&quot;Thanks for letting us know about this, as a result of your email we are investigating it internally. If we need any further information from you we will let you know.&quot;<p>The reply seemed a bit weird to me. Why don&#x27;t just get in touch with me so I can explain the vulnerability? I respected their answer.<p>As of today, the security vulnerability is still present. How can you as a company just simply not even care about security and customer information?<p>So HN, what should I do? Just forget about it?
======
marcuzhn
I'm Marco and I work in the ops team at Nexmo. I have found your initial email
to our Support team, and I can see that there have been some changes in our
dashboard related to your report. I am not sure it's fixed because I don't
have the details about the vulnerability you discovered, but I do know that
initially we were resetting the user password straight away after a request.
This is no longer the case - the email address now receives a reset link. If
your report is still relevant despite this new procedure, I am very happy to
receive the details.

Also, I would like to respond to the complaints that "we don't care about
security". This is simply not true and we even use a bug bounty reward
program. We do care and we accept reports through
[https://cobalt.io/](https://cobalt.io/) (ex CrowdCurity), so if you share
with us your username/email on cobalt, we can add you to our program.

I totally agree we fucked up handling your report better back in may. I hope
you are still willing to work with us!

~~~
sebiw
Hi Marco,

I'm so happy I finally have a person to talk to that seems to understand me.

Thanks for providing me the link to cobalt.io. I've never heard of that
platform before. I just registered. My username is sebi

I'd think it would strengthen the position that you care about security if you
would dedicate a page on your site to security. Would really like to see
something like that. Not only as a security researcher, but also as a customer
of yours.

~~~
marcuzhn
Totally agree and it's in the plan to add the security page (I don't have an
ETA honestly). I will add you to our program shortly, thanks!

~~~
jfrisby
Well, there's a "Report vulnerability" link right on the front page of
nexmo.com as of right now...

------
lost_my_pwd
I have never gotten results by attempting to use a company's regular support
channels. Best bet is to research who works there in a capacity that would
actually be concerned about security issues.

On Nexmo's leadership page[0] I found their CTO, Eric Nadalin. A little
LinkedIn search got me his profile[1]. Searching his name shows a lot of sites
that would allow you to reach out to him (e.g. AngelList, Facebook, Twitter,
etc.)

If that does not work, try reaching out to some of the companies that are
Nexmo's clients. Even if Nexmo does not care, you can be sure that most of
their clients will care, and they will definitely have the attention of Nexmo.

[0]
[https://www.nexmo.com/company/leadership/](https://www.nexmo.com/company/leadership/)

[1]
[https://www.linkedin.com/in/enadalin](https://www.linkedin.com/in/enadalin)

~~~
danielh
Nexmo's CEO also seems to be active on Twitter:
[https://twitter.com/jamingo](https://twitter.com/jamingo)

------
kaypro
I've had similar negative results with their support a few months back on a
project I was working on. Long story short is we switched to Twilio as a
result. Their response time for a high priority ticket was embarrassing. I
don't know if it's related to growing pains or bad timing but for commodity
services like this where it's so easy to switch to a competitor on a whim (we
were only using their SMS gateway service) it's critical to stay on top as
it's tough to create brand loyalty unless your support is amazing. One of the
reasons I'm fiercely loyal to Stripe even if a competitor may be cheaper...
their support is amazing.

~~~
sparrish
We've been a nexmo customer for a few years and support has definitely gone
downhill. I rarely get any support request resolved anymore. Many simply go
unanswered. We're looking for another global sms provider.

------
Arkanosis
I had a similar problem some months ago with a prominent blogging platform and
I ended up sending an email to the tech contact in their WHOIS. I got a
response in less than one minute from a guy who wasn't working directly for
the company, but for their hosting provider. He got the security issue fixed
in something like three days.

Try WHOIS, you'll hopefully reach someone tech-savy enough to discuss with.

------
thefreeman
Full Disclosure. That's what happens when companies aren't interested in
hearing about their security vulnerabilities.
[https://nmap.org/mailman/listinfo/fulldisclosure](https://nmap.org/mailman/listinfo/fulldisclosure)

~~~
JosephRedfern
IANAL, If you're "fully disclosing" a vulnerability in a service (that isn't
running a responsible disclosure program) rather than a code-base, you're
potentially opening yourself to legal trouble.

Even looking for vulnerability's in software running on servers that aren't
controlled by you without permission is very legally sketchy.

Whether or not you should do so or not for the good of the internet is a
different argument, but you should be aware of the potential implications.

~~~
marcuzhn
I am not 100% sure about the legal details, but Nexmo as a company has a bug
bounty reward program, so I assume in our case it doesn't apply because we
want to know what's wrong and we request responsible disclosure (usually after
the fix is in production). You can see it here:
[https://cobalt.io/nexmo](https://cobalt.io/nexmo) (yes, it isn't yet linked
from our www).

~~~
JosephRedfern
Only API's seem to be listed as in-scope, though. dashboard.nexmo.com (as well
as www., and many other subdomains) are explicitly listed as being out of
scope :).

~~~
marcuzhn
LOL I expected that. Simple reason: we have received a good number of reports
for our dashboard and some of them are still open mostly because they are not
top priority. Needless to say we accept all reports and reward them
accordingly to severity. :)

------
marcuzhn
FYI the fix has been deployed (and it was unrelated to what I've said in my
first comment). Thank you very much for helping even though it didn't start
the right way!

------
JustMadMike
They have responded on twitter to someone linking to this post

 _@danielhepper This was reported back in May and was since resolved. If you
have any concerns please contact us at support@nexmo.com._ [1]

Maybe they fixed another security issue as they never inquired about the
security hole you found. Which you suggest is still present.

[1]
[https://twitter.com/Nexmo/status/624582630126813184](https://twitter.com/Nexmo/status/624582630126813184)

~~~
sebiw
Don't know why they are issuing such a statement. As of right now it clearly
isn't fixed.

------
sebiw
Just in case someone from Nexmo reads this or someone is interested in
contacting me, I'm leaving a back channel:

sebiw@me.com

------
waffle_ss
Does HackerOne[1] let you report vulnerabilities if the company isn't already
signed up? Like, would they help facilitate interactions with the company,
allowing some sort of public disclosure timeline?

[1]: [https://hackerone.com/](https://hackerone.com/)

------
vinhboy
Did you ask them for money? Did you describe the nature of the bug you
discovered? Hard to believe a company will ignore a "I can reset any account's
password" bug report. And if you're asking for a bounty, maybe they just can't
afford to pay it.

~~~
sebiw
I never asked for any money. Here's my full initial email to them:

"Hi

I would like to inform you about a critical security vulnerability on your
site.

The vulnerability allows an attacker to reset the password of an account by
simply knowing the targets email address.

Please reply with a signed S/MIME message and I will precisely explain the
vulnerability to you.

Kind regards, ..."

~~~
edent
The problem is, companies get a tonne of emails like this - usually from
crackpots who think that they've found a vulnerability when they haven't.

May I suggest an email which establishes your credentials and gives a bit more
details - without necessarily telling a customer service agent the full
details.

For example:

> My name is Bob, I'm a security researcher at FooCorp. I've discovered a
> serious security vulnerability with your XYZ system. It is possible to reset
> customers' accounts without any authorisation. I've been able to replicate
> this on test account abc@123. I think this is caused by a misconfigured
> widget. Please can you forward this message on to your head of security. You
> can see my previous security work at [http://...](http://...).

Something like that _may_ be more likely to get some positive attention.

~~~
nmrm2
_I 've been able to replicate this on test account abc@123._

I'd leave that out unless you're confident the company isn't going to screw
you. Speaking from experience.

~~~
marcuzhn
I am not sure why all this hate, as I said we fucked up the way the initial
ticket has been handled and it's sorted now. :P FYI we plan to release the fix
shortly and sebiw has already been rewarded via our official bug bounty
program.

~~~
monatron
You're not exactly making things much better with the professionalism of your
replies.

------
nstart
Since I went through something similar recently, one of the best things to do
is to get in touch with the CERT local to the company and tell them what the
issue is. They can be pretty effective in pushing companies to solve the
problem.

------
Canada
They don't care? Full disclosure then.

~~~
mryan
No. Even though the company does not care about their lack of security, the OP
could risk opening himself up to legal issues if he announces the exploit and
provides enough detail for it to be exploited.

~~~
sneak
What legal issues, specifically?

~~~
mryan
I'm not going to research specific statutes for you, if that's what you are
asking. But some examples off the top of my head...

Assume for the sake of argument that Nexmo is based in the UK. Using this
exploit to access someone else's Nexmo.com account would be a violation of the
Computer Misuse Act.

Writing a blog post detailing exactly how you achieved this would be a public
admission of violating the Computer Misuse Act.

Another example: Person A publishes instructions detailing how to exploit this
issue. Person B follows the steps, and causes financial harm to Nexmo. Nexmo
sues Person B for exploiting their systems, and also names Person A in the
lawsuit because their publication led directly to Person B's actions.

I'm not certain either of these cases would hold up in court, but there is
certainly a risk that Nexmo would take the second approach. In the OP's shoes,
the safest thing is not to publish. I'm not saying that's the right choice -
just the safest from a legal perspective.

------
twunde
The people you need to reach are the software developers that maintain the
system. It's probably best to try signed contract one of them through social
media.

Yes there are companies that don't care about security. Often these mean that
the software was built or operated by people with an agency/consulting
background who care more about whether the software works.

~~~
jsprogrammer
The software doesn't work if someone has rest your password and emptied your
account of credits.

~~~
twunde
Yes and no. This is a bug and a high severity bug once exploited. But as long
as the main software product works "well enough" for a customer to pay for the
development and be happy with it, an agency doesn't care. The prioritization
of security varies by industry

That said, my point is moot since it's a bug in a security fix. From the other
comments Nexmo is going through some growing pains as it transitions into the
enterprise and their IT department is struggling with prioritization.

------
mlss
You guys shouldn`t give up on reporting vulnerabilities to businesses. It`s a
highly important work that should be treated accordingly! It affects everybody
and keeps the internet safer. Cobalt.io seems to be doing a great job in this
area, maybe you could contact them and they can reach to the business and help
your voice be heard.

------
mathgeek
You should send them a detailed email about it. Be as detailed as possible
without doing anything illegal. Then wash your hands of it. If they don't
reply, it's not your problem.

Also, notify any companies that you know use the service. They may have some
requests to make of the compromised company, as well.

------
scorpioxy
The only answer in my opinion, and this goes for any website with a security
issue, is just not to use their service.

They either don't care or have a long list of higher-priority issues than
this. Either way, nothing you can do.

------
shoq
We just started using Nexmo because of it's pricing and easy integration into
an existing portal. Companies like Viber or airbnb rely on Nexmo. I hope this
is resolved asap.

------
2Fdev2Fnull
HP follows a 120 day rule.

(1) disclose privately (2) wait either 120 days or until the vulnz iz fxd (3)
leak it 2 the world

serves them right for being a *.

------
sneak
Just publish to full-disclosure. Done and done.

------
aninteger
Why not just send an email with the vulnerability information instead of
playing email tag. Why not send an email with something like "I found a
problem with feature XYZ and here are the steps to reproduce and using these
steps I can do ABC". Problem solved.

~~~
sebiw
I don't feel comfortable emailing out such a vulnerability if I can't tell to
whom I'm writing and who can read the disclosure.

