Websites belonging to the the Electronic Freedom Foundation (EFF) — an international organization focused on digital rights — contained multiple vulnerabilities and potential security problems. These were reported via EFF’s bug bounty program and were fixed.
The following vulnerabilities were found:
Weak SSL certificates
A total of 13 websites were found to have be operating with an SSL certificate using an intermediary certificate with SHA-1. Of these, 9 were subdomains of eff.org. Of these, 12 have been fixed with stronger certificates and 1 website is no longer operational.
1 website was found that redirected to an non-EFF website, due to a change in IP address ownership. This website is no longer operational.
No SSL for sensitive data
1 website under control of a third-party vendor and used for soliciting donations was found not to use SSL. This website is no longer operational.
Unpatched / Vulnerable software
9 websites were using vulnerable older versions of different type of web software, all have been patched.
Discovered by Yakov Shafranovich in collaboration with the Shaftek Enterprises Security Research Team.
This discovery qualified for a security bounty under the terms of the EFF Security Vulnerability Disclosure Program.
2015–12–03: Vendor notified
2015–12–03: Vendor response received
2015–12–17: Bounty received
2016–05–30: Fixes confirmed, public disclosure