Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: I know how to reset any Nexmo.com account, but nobody cares
131 points by sebiw on July 24, 2015 | hide | past | favorite | 56 comments
Nexmo.com provides messaging and voice solutions, such as SMS gateway functionality, and has prominent customers like Airbnb. On May I found a serious security vulnerability on their website that enables anyone to reset the password of any account on Nexmo.com by knowing the accounts email address and thus to take over an account and see what SMS messages were sent by the account, happily use credits of the account, et cetera.

I tried to figure out how to contact them about the security vulnerability, they don't have a dedicated site about security nor how security researchers can contact them, like Github and many others have (https://help.github.com/articles/github-security/). Which make me think about how important security is to that company, but anyway.

So I ended up writing to their general-purpose support email address describing that I've found a highly severe security vulnerability related to password resets and would like to get in touch with someone from their IT security department or similar. And here's what they replied:

"Thanks for your email - this challenge has finished already, but we appreciate you contacting us."

Wait ... this "challenge" has finished already? What the serious f*?!

So I replied and explained to them that my inquiry isn't about a "challenge" but a serious security hole on their site.

Finally, it seemed that they understood what I wanted and they replied with the following:

"Thanks for letting us know about this, as a result of your email we are investigating it internally. If we need any further information from you we will let you know."

The reply seemed a bit weird to me. Why don't just get in touch with me so I can explain the vulnerability? I respected their answer.

As of today, the security vulnerability is still present. How can you as a company just simply not even care about security and customer information?

So HN, what should I do? Just forget about it?

I'm Marco and I work in the ops team at Nexmo. I have found your initial email to our Support team, and I can see that there have been some changes in our dashboard related to your report. I am not sure it's fixed because I don't have the details about the vulnerability you discovered, but I do know that initially we were resetting the user password straight away after a request. This is no longer the case - the email address now receives a reset link. If your report is still relevant despite this new procedure, I am very happy to receive the details.

Also, I would like to respond to the complaints that "we don't care about security". This is simply not true and we even use a bug bounty reward program. We do care and we accept reports through https://cobalt.io/ (ex CrowdCurity), so if you share with us your username/email on cobalt, we can add you to our program.

I totally agree we fucked up handling your report better back in may. I hope you are still willing to work with us!

Hi Marco,

I'm so happy I finally have a person to talk to that seems to understand me.

Thanks for providing me the link to cobalt.io. I've never heard of that platform before. I just registered. My username is sebi

I'd think it would strengthen the position that you care about security if you would dedicate a page on your site to security. Would really like to see something like that. Not only as a security researcher, but also as a customer of yours.

Totally agree and it's in the plan to add the security page (I don't have an ETA honestly). I will add you to our program shortly, thanks!

Well, there's a "Report vulnerability" link right on the front page of nexmo.com as of right now...

So is the vulnerability fixed or not?

Yes, the fix has been deployed 20 minutes ago.

Can the OP confirm this?

I worry that "we do care about security" is increasingly insufficient. It's one thing to care about security, another to think that you take it seriously, and another to actually take it seriously.

Depending on the application, the amount of resources you should be expending on security is often times multiple times what a naive person would expect. Security is tricky and subtle, and most people don't realize how wrong they are when it comes to doing things securely.

I'm Esben, cofounder and chief product officer at Cobalt (https://cobalt.io). I can confirm that Nexmo has been running a bug bounty program with us for more than a year now. They have rewarded researchers and are in general keeping a good response time through the program.

They have now also added a link "Report Vulnerability" in the footer of nexmo.com linking directly to the program, making it easy for everyone to find it.

You can read more about there work with us here if you are interested: https://cobalt.io/case-studies/nexmo

I created an account long time ago which comes with x amount of $ for free. Somehow it got below the threshold, and Nexmo sends me an email every single day about my low account balance and tells me to add money. Since unsubscribing required me to login, now all the mail goes to spam folder.

This is last 7 days:


I have never gotten results by attempting to use a company's regular support channels. Best bet is to research who works there in a capacity that would actually be concerned about security issues.

On Nexmo's leadership page[0] I found their CTO, Eric Nadalin. A little LinkedIn search got me his profile[1]. Searching his name shows a lot of sites that would allow you to reach out to him (e.g. AngelList, Facebook, Twitter, etc.)

If that does not work, try reaching out to some of the companies that are Nexmo's clients. Even if Nexmo does not care, you can be sure that most of their clients will care, and they will definitely have the attention of Nexmo.

[0] https://www.nexmo.com/company/leadership/

[1] https://www.linkedin.com/in/enadalin

Nexmo also works with Cobalt.io: https://cobalt.io/case-studies/nexmo

Nexmo's CEO also seems to be active on Twitter: https://twitter.com/jamingo

I've had similar negative results with their support a few months back on a project I was working on. Long story short is we switched to Twilio as a result. Their response time for a high priority ticket was embarrassing. I don't know if it's related to growing pains or bad timing but for commodity services like this where it's so easy to switch to a competitor on a whim (we were only using their SMS gateway service) it's critical to stay on top as it's tough to create brand loyalty unless your support is amazing. One of the reasons I'm fiercely loyal to Stripe even if a competitor may be cheaper... their support is amazing.

We've been a nexmo customer for a few years and support has definitely gone downhill. I rarely get any support request resolved anymore. Many simply go unanswered. We're looking for another global sms provider.

Good to know, I have an upcoming project and nexmo was on the list, I'll take another look at twilio :)

This is why I love HN.

Recently implemented a two-factor auth solution for a client with Twilio and couldn't have been happier.

I had a similar problem some months ago with a prominent blogging platform and I ended up sending an email to the tech contact in their WHOIS. I got a response in less than one minute from a guy who wasn't working directly for the company, but for their hosting provider. He got the security issue fixed in something like three days.

Try WHOIS, you'll hopefully reach someone tech-savy enough to discuss with.

Full Disclosure. That's what happens when companies aren't interested in hearing about their security vulnerabilities. https://nmap.org/mailman/listinfo/fulldisclosure

IANAL, If you're "fully disclosing" a vulnerability in a service (that isn't running a responsible disclosure program) rather than a code-base, you're potentially opening yourself to legal trouble.

Even looking for vulnerability's in software running on servers that aren't controlled by you without permission is very legally sketchy.

Whether or not you should do so or not for the good of the internet is a different argument, but you should be aware of the potential implications.

I am not 100% sure about the legal details, but Nexmo as a company has a bug bounty reward program, so I assume in our case it doesn't apply because we want to know what's wrong and we request responsible disclosure (usually after the fix is in production). You can see it here: https://cobalt.io/nexmo (yes, it isn't yet linked from our www).

So, let's see if I understand this.

- Your website has no security page and setting this up is such a low priority that you have no ETA on when /security might exist.

- You instead use a third party service to manage your security disclosures. Yet, you don't link to this site from your website.

- A researcher tries to contact you again and again. He gets no reasonable response so after several months he posts on Hacker News.

The Hacker News post finally gets a response, yet you expect us to believe that you care about security???

Only API's seem to be listed as in-scope, though. dashboard.nexmo.com (as well as www., and many other subdomains) are explicitly listed as being out of scope :).

LOL I expected that. Simple reason: we have received a good number of reports for our dashboard and some of them are still open mostly because they are not top priority. Needless to say we accept all reports and reward them accordingly to severity. :)

FYI the fix has been deployed (and it was unrelated to what I've said in my first comment). Thank you very much for helping even though it didn't start the right way!

They have responded on twitter to someone linking to this post

@danielhepper This was reported back in May and was since resolved. If you have any concerns please contact us at support@nexmo.com.[1]

Maybe they fixed another security issue as they never inquired about the security hole you found. Which you suggest is still present.

[1] https://twitter.com/Nexmo/status/624582630126813184

Don't know why they are issuing such a statement. As of right now it clearly isn't fixed.

Does HackerOne[1] let you report vulnerabilities if the company isn't already signed up? Like, would they help facilitate interactions with the company, allowing some sort of public disclosure timeline?

[1]: https://hackerone.com/

Did you ask them for money? Did you describe the nature of the bug you discovered? Hard to believe a company will ignore a "I can reset any account's password" bug report. And if you're asking for a bounty, maybe they just can't afford to pay it.

I never asked for any money. Here's my full initial email to them:


I would like to inform you about a critical security vulnerability on your site.

The vulnerability allows an attacker to reset the password of an account by simply knowing the targets email address.

Please reply with a signed S/MIME message and I will precisely explain the vulnerability to you.

Kind regards, ..."

The problem is, companies get a tonne of emails like this - usually from crackpots who think that they've found a vulnerability when they haven't.

May I suggest an email which establishes your credentials and gives a bit more details - without necessarily telling a customer service agent the full details.

For example:

> My name is Bob, I'm a security researcher at FooCorp. I've discovered a serious security vulnerability with your XYZ system. It is possible to reset customers' accounts without any authorisation. I've been able to replicate this on test account abc@123. I think this is caused by a misconfigured widget. Please can you forward this message on to your head of security. You can see my previous security work at http://....

Something like that may be more likely to get some positive attention.

I've been able to replicate this on test account abc@123.

I'd leave that out unless you're confident the company isn't going to screw you. Speaking from experience.

I am not sure why all this hate, as I said we fucked up the way the initial ticket has been handled and it's sorted now. :P FYI we plan to release the fix shortly and sebiw has already been rewarded via our official bug bounty program.

You're not exactly making things much better with the professionalism of your replies.

I think that you are misinterpreting this statement as a general caution.

Sending a company proof that you've accessed a security hole (e.g. demonstrating it to them) can and has been prosecuted against has a hacking attempt and/or unauthorized access.

This is something every security researcher should know, and not necessarily pejorative against Nexmo in particular.

Sorry, I really didn't mean that as hate toward your company at all!

The parent was offering general advice for working with companies, and I was offering a general observation about that advice (namely, don't admit to technically-a-crime unless you know you're working with someone in good faith). Nothing personal, and it sounds like you guys have handled things professionally :-)

Edit: In particular and to clarify, my negative experience was not with your company.

Do you actually want an answer to that question??? It may just be a rhetorical question, or you may genuinely be wondering why you aren't getting the reaction you want.

While the whole situation is bad, you are being hit by a case of bad customer support, not necessarily a company that does not care about security. They didn't understand your message.

It's bad. But it's still reasonable to not assume the worse. Email the CEO or try to reach some developer on LinkedIn or Twitter.

Dang, that's terrible that they did not respond immediately. Goodluck. I hope you get a favorable resolution.

Since I went through something similar recently, one of the best things to do is to get in touch with the CERT local to the company and tell them what the issue is. They can be pretty effective in pushing companies to solve the problem.

They don't care? Full disclosure then.

I'm no security researcher and have def never found a zero-day , but I think this is the thinking in the industry I identify with. Someone went out of their way to research this vulnerability and spent time on documenting and testing it. They then have the ability to own whatever infrastructure this leaves opened. So, they did the security teams job and helped out.

They then take time to repeatedly contact you with sufficient documentation and the offer for more of their time for free to walk you through it. Twice. Security consultants get paid a lot of money and this service is offered for free of charge because of some hackers curiosity.

The next step is not usually full disclosure but often, "I have written this blog post detailing the vulnerability and intend to post it in N days unless I hear from you" Then it is pretty fair game for full disclosure.

No. Even though the company does not care about their lack of security, the OP could risk opening himself up to legal issues if he announces the exploit and provides enough detail for it to be exploited.

What legal issues, specifically?

I'm not going to research specific statutes for you, if that's what you are asking. But some examples off the top of my head...

Assume for the sake of argument that Nexmo is based in the UK. Using this exploit to access someone else's Nexmo.com account would be a violation of the Computer Misuse Act.

Writing a blog post detailing exactly how you achieved this would be a public admission of violating the Computer Misuse Act.

Another example: Person A publishes instructions detailing how to exploit this issue. Person B follows the steps, and causes financial harm to Nexmo. Nexmo sues Person B for exploiting their systems, and also names Person A in the lawsuit because their publication led directly to Person B's actions.

I'm not certain either of these cases would hold up in court, but there is certainly a risk that Nexmo would take the second approach. In the OP's shoes, the safest thing is not to publish. I'm not saying that's the right choice - just the safest from a legal perspective.

The people you need to reach are the software developers that maintain the system. It's probably best to try signed contract one of them through social media.

Yes there are companies that don't care about security. Often these mean that the software was built or operated by people with an agency/consulting background who care more about whether the software works.

The software doesn't work if someone has rest your password and emptied your account of credits.

Yes and no. This is a bug and a high severity bug once exploited. But as long as the main software product works "well enough" for a customer to pay for the development and be happy with it, an agency doesn't care. The prioritization of security varies by industry

That said, my point is moot since it's a bug in a security fix. From the other comments Nexmo is going through some growing pains as it transitions into the enterprise and their IT department is struggling with prioritization.

You guys shouldn`t give up on reporting vulnerabilities to businesses. It`s a highly important work that should be treated accordingly! It affects everybody and keeps the internet safer. Cobalt.io seems to be doing a great job in this area, maybe you could contact them and they can reach to the business and help your voice be heard.

You should send them a detailed email about it. Be as detailed as possible without doing anything illegal. Then wash your hands of it. If they don't reply, it's not your problem.

Also, notify any companies that you know use the service. They may have some requests to make of the compromised company, as well.

The only answer in my opinion, and this goes for any website with a security issue, is just not to use their service.

They either don't care or have a long list of higher-priority issues than this. Either way, nothing you can do.

We just started using Nexmo because of it's pricing and easy integration into an existing portal. Companies like Viber or airbnb rely on Nexmo. I hope this is resolved asap.

HP follows a 120 day rule.

(1) disclose privately (2) wait either 120 days or until the vulnz iz fxd (3) leak it 2 the world

serves them right for being a *.

Just publish to full-disclosure. Done and done.

Why not just send an email with the vulnerability information instead of playing email tag. Why not send an email with something like "I found a problem with feature XYZ and here are the steps to reproduce and using these steps I can do ABC". Problem solved.

I don't feel comfortable emailing out such a vulnerability if I can't tell to whom I'm writing and who can read the disclosure.

Applications are open for YC Summer 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact