Vulnerability Lab security researchers claim that Wickr Inc., the company behind encrypted messaging service Wickr, hasn’t paid promised bounties for multiple vulnerabilities disclosed years ago, although the company did patch all of them.
The security researchers claim to have discovered nearly two dozen bugs in the Wickr software between 2013 and 2014 and to have disclosed 7 of them to the company in 2014, after Wickr launched an official bug bounty program in the beginning of that year. However, they haven’t received a reward for their effort so far.
After performing an audit of the Wickr’s Windows and mobile applications (Android and iOS), Vulnerability Lab researchers discovered flaws in multiple software modules, thus impacting both desktop and mobile users. These included Remote Denial of Service, Audio Memo Function Surveillance, Online-Offline Mode Messenger Exception Privacy, Auth Bypass, a Blocklist Issue, Input to Define Vulnerability, and a Local Copy Message Context Issue, among others.
The most important of these vulnerabilities is considered high risk, with a CVSS score of 7.0. Other vulnerabilities feature CVSS scores of 5.9, 5.3, 4.6, 3.3, and 2.8.
The Denial of Service flaw, the researchers say, could allow local and remote attackers to crash or shutdown the software client by using specially crafted symbol strings as password or name. The bug, the researchers reveal, resides in charset validation of the parse mechanism not being able to interpret the character submitted via form to the database management system.
The vulnerable modules include friend contacts, Wickr password auth, and friends, while the vulnerable inputs are add friends (name), Wickr password auth, and change friend (update name). The faulty parameters are name and password, while affected libraries include qsqlcipher_wickr.dll and CFLite.dll, the security researchers explain. The issue was found in Wickr v2.2.1 for Windows.
The Blocklist Issue on Update bug was found in the official Wickr v2.3.3 iOS mobile application and could allow a local attacker with a privileged account to invisibly block accounts in multi-device setups. A third vulnerability could allow a local attacker to bypass the login and access sensitive content in the application.
A bug in both Android and iOS apps allows a local attacker to remotely exploit the vulnerable audio memos function of another user account, while an issue with the iOS app could be exploited to access restricted information inside the application context. The researchers discovered a flaw in the iOS app that could allow local attackers to bypass the software/server authentication, as well as a vulnerability that could result in the compromise of a local account by resetting the never lock mechanism.
The security researchers note that they disclosed all of these issues to Wickr via its official contact, but that internal changes within the company resulted in their original reports being lost. Although the reports were considered valid, the new management team claimed to lack access to them and the researchers weren’t rewarded for their work, although the bugs were patched via a series of updates between 2014 and 2015.
As it turns out, other researchers also had issues with the Wickr bug bounty program, and Vulnerability Lab notes that an Israeli security company connected to Wickr behaves exactly the same. The security researchers claim that, although the rewards are noticeable when the bug bounty is reached, the company seems unwilling to pay or recognize their work, despite being interested in receiving information about the remaining 20 bugs found by the team.
SecurityWeek contacted Wickr for comment, but had not recieved a response as of the time of publishing.
UPDATE – 11/02/2016:
Wickr has emailed back today, saying that they have contacted the researchers and that communication is ongoing. They also pointed at a blog post from their CTO Chris Howell, who admits that communication with the researchers was an issue. Differences of opinion related to the significance of the reported issues also emerged, but the company will focus on better communication to avoid similar situations:
“These differences are common in the context of a bug bounty, but I’m willing to bet that if we had been more communicative we would have found common ground. I’m going to focus on making improvements in this area right away, starting with these researchers. I also plan on looking into third parties to help keep us on point with the program overall as we grow and expand our product portfolio.”
Howell also points out that the company has “never and would never fail to pay a researcher for disclosing a worthy security issue or knowingly patch a significant issue reported under the program and fail to recognize the source.” According to Howell, almost “20% of all researchers who have provided qualifying submissions have earned a cash award over the history of our program.”
But that still leaves 80% of the researchers with qualifying submissions out of the cash rewards list.
Wickr contacted SecurityWeek again, to clarify the situation on the 80% of qualifying research submissions that don’t make it to the list of cash rewards.
“The remaining 80% of submissions are either repetitive of the bugs other researchers have previously identified and got awarded for or are low quality bugs as calculated by likelihood and impact on our users, or do not rise to the level of what the team considers serious enough for the program (e.g. “you can take screenshots on iOS”). From our discussions with the colleagues within the information security industry, it is clear that Wickr’s experience with a signal-to-noise ratio in bug bounty isn’t unique.”
Wickr also cited Bug Crowd’s 2016 annual report (PDF) as an example of similar numbers. The report reveals that, of the total received submissions, 45.38% (24,516) were marked invalid, while 36.23% (19,574) were marked duplicate, meaning that only 18% (9,963) submissions were non-duplicates.< /p>
UPDATE – 12/05/2016 – Vulnerability Lab told SecurityWeek that Wickr has ultimately decided to award a bounty of more than $5,000 for the flaws.
