Advisory: Multiple Vulnerabilities in EFF websites

Overview

Websites belonging to the the Electronic Freedom Foundation (EFF) — an international organization focused on digital rights — contained multiple vulnerabilities and potential security problems. These were reported via EFF’s bug bounty program and were fixed.

Details

The following vulnerabilities were found:

Weak SSL certificates

A total of 13 websites were found to have be operating with an SSL certificate using an intermediary certificate with SHA-1. Of these, 9 were subdomains of eff.org. Of these, 12 have been fixed with stronger certificates and 1 website is no longer operational.

Accidental redirect

1 website was found that redirected to an non-EFF website, due to a change in IP address ownership. This website is no longer operational.

No SSL for sensitive data

1 website under control of a third-party vendor and used for soliciting donations was found not to use SSL. This website is no longer operational.

Unpatched / Vulnerable software

9 websites were using vulnerable older versions of different type of web software, all have been patched.

Credits

Discovered by Yakov Shafranovich in collaboration with the Shaftek Enterprises Security Research Team.

Bounty Information

This discovery qualified for a security bounty under the terms of the EFF Security Vulnerability Disclosure Program.

Timeline

2015–12–03: Vendor notified
2015–12–03: Vendor response received
2015–12–17: Bounty received
2016–05–30: Fixes confirmed, public disclosure

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s