Tuesday, 11 August 2015

The substandard security practices of MSI

MSI and their substandard security practices.
This post is just a quick rant to highlight some issues with MSI who are primarily a hardware manufacturer, I decided to take a look through their sites for vulnerabilities in the hope they'd reward some merch for finding vulnerabilities - a long shot but worth a go right?
I pretty quickly found 2 XSS vectors on their pages, you can find them at the links below although they have subsequently been fixed:
I attempted to get in touch with them, sadly that provided much harder than I first thought, I looked for emails I could contact but they have nothing on their sites, I tried opening a ticket with their support system who provided to be incredibly unhelpful. I then went to their forums which apparently none of the staff work for MSI and aren't in touch with MSI. It was funny to scroll down the page and find other hackers registering on the forum to request exactly what I was, an email address to send sensitive vulnerability disclosures to, it seems like I'm not the only one that struggled to get a hold of them. I even tweeted their twitter accounts asking for directions to submit vulnerabilities with no reply - they've made it very hard work to get in touch with someone who could get this information to the right staff.
In the end I was contacted by a member of MSI team called Rex, he said he'd heard about that I'd found bugs on the site, so someone somewhere passed this info along but I have no idea where from, I wrote up a complete report on the vectors plus some other vulnerabilities I was concerned about.
I didn't get a single reply, I followed up asking if they wanted to discuss responsible disclosure and what time limit they wanted me to adhere to when disclosing the bugs, but again no reply, so I'm taking that to mean they don't care, so I've published them here.
They have been fixed as of testing today, and by fixed I mean in the weakest possible sense, they still allow arbitrary HTML through onto the page in the 2nd link except they deny <script> tags, this leaves them open to god knows how many other XSS vectors.
It would have only taken them 10 seconds to write a reply to me to say thank you and that they don't supply bug bounties, but they couldn't even manage that. Not only do MSI not care about security of their websites, they have no interest in making it easy to contact them, they don't run any kind of bug bounty or even have the common courtesy to reply to people who are responsibility disclosing vulnerabilities - basically screw MSI.