Security Experts:

Connect with us

Hi, what are you looking for?



Researchers Claim Wickr Patched Flaws but Didn’t Pay Rewards

Vulnerability Lab security researchers claim that Wickr Inc., the company behind encrypted messaging service Wickr, hasn’t paid promised bounties for multiple vulnerabilities disclosed years ago, although the company did patch all of them.

Vulnerability Lab security researchers claim that Wickr Inc., the company behind encrypted messaging service Wickr, hasn’t paid promised bounties for multiple vulnerabilities disclosed years ago, although the company did patch all of them.

The security researchers claim to have discovered nearly two dozen bugs in the Wickr software between 2013 and 2014 and to have disclosed 7 of them to the company in 2014, after Wickr launched an official bug bounty program in the beginning of that year. However, they haven’t received a reward for their effort so far.

After performing an audit of the Wickr’s Windows and mobile applications (Android and iOS), Vulnerability Lab researchers discovered flaws in multiple software modules, thus impacting both desktop and mobile users. These included Remote Denial of Service, Audio Memo Function Surveillance, Online-Offline Mode Messenger Exception Privacy, Auth Bypass, a Blocklist Issue, Input to Define Vulnerability, and a Local Copy Message Context Issue, among others. 

The most important of these vulnerabilities is considered high risk, with a CVSS score of 7.0. Other vulnerabilities feature CVSS scores of 5.9, 5.3, 4.6, 3.3, and 2.8.

The Denial of Service flaw, the researchers say, could allow local and remote attackers to crash or shutdown the software client by using specially crafted symbol strings as password or name. The bug, the researchers reveal, resides in charset validation of the parse mechanism not being able to interpret the character submitted via form to the database management system.

The vulnerable modules include friend contacts, Wickr password auth, and friends, while the vulnerable inputs are add friends (name), Wickr password auth, and change friend (update name). The faulty parameters are name and password, while affected libraries include qsqlcipher_wickr.dll and CFLite.dll, the security researchers explain. The issue was found in Wickr v2.2.1 for Windows.

The Blocklist Issue on Update bug was found in the official Wickr v2.3.3 iOS mobile application and could allow a local attacker with a privileged account to invisibly block accounts in multi-device setups. A third vulnerability could allow a local attacker to bypass the login and access sensitive content in the application.

A bug in both Android and iOS apps allows a local attacker to remotely exploit the vulnerable audio memos function of another user account, while an issue with the iOS app could be exploited to access restricted information inside the application context. The researchers discovered a flaw in the iOS app that could allow local attackers to bypass the software/server authentication, as well as a vulnerability that could result in the compromise of a local account by resetting the never lock mechanism.

The security researchers note that they disclosed all of these issues to Wickr via its official contact, but that internal changes within the company resulted in their original reports being lost. Although the reports were considered valid, the new management team claimed to lack access to them and the researchers weren’t rewarded for their work, although the bugs were patched via a series of updates between 2014 and 2015.

As it turns out, other researchers also had issues with the Wickr bug bounty program, and Vulnerability Lab notes that an Israeli security company connected to Wickr behaves exactly the same. The security researchers claim that, although the rewards are noticeable when the bug bounty is reached, the company seems unwilling to pay or recognize their work, despite being interested in receiving information about the remaining 20 bugs found by the team.

SecurityWeek contacted Wickr for comment, but had not recieved a response as of the time of publishing.

UPDATE – 11/02/2016: 

 Wickr has emailed back today, saying that they have contacted the researchers and that communication is ongoing. They also pointed at a blog post from their CTO Chris Howell, who admits that communication with the researchers was an issue. Differences of opinion related to the significance of the reported issues also emerged, but the company will focus on better communication to avoid similar situations:

“These differences are common in the context of a bug bounty, but I’m willing to bet that if we had been more communicative we would have found common ground. I’m going to focus on making improvements in this area right away, starting with these researchers. I also plan on looking into third parties to help keep us on point with the program overall as we grow and expand our product portfolio.”

Howell also points out that the company has “never and would never fail to pay a researcher for disclosing a worthy security issue or knowingly patch a significant issue reported under the program and fail to recognize the source.” According to Howell, almost “20% of all researchers who have provided qualifying submissions have earned a cash award over the history of our program.”

But that still leaves 80% of the researchers with qualifying submissions out of the cash rewards list.

 Wickr contacted SecurityWeek again, to clarify the situation on the 80% of qualifying research submissions that don’t make it to the list of cash rewards. 

“The remaining 80% of submissions are either repetitive of the bugs other researchers have previously identified and got awarded for or are low quality bugs as calculated by likelihood and impact on our users, or do not rise to the level of what the team considers serious enough for the program (e.g. “you can take screenshots on iOS”). From our discussions with the colleagues within the information security industry, it is clear that Wickr’s experience with a signal-to-noise ratio in bug bounty isn’t unique.” 

Wickr also cited Bug Crowd’s 2016 annual report (PDF) as an example of similar numbers. The report reveals that, of the total received submissions, 45.38% (24,516) were marked invalid, while 36.23% (19,574) were marked duplicate, meaning that only 18% (9,963) submissions were non-duplicates.< /p>

UPDATE – 12/05/2016 – Vulnerability Lab told SecurityWeek that Wickr has ultimately decided to award a bounty of more than $5,000 for the flaws.

Related: Facebook, Researcher Quarrel Over Instagram Hack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet