Websites belonging to the the Electronic Freedom Foundation (EFF) — an international organization focused on digital rights — contained multiple vulnerabilities and potential security problems. These were reported via EFF’s bug bounty program and were fixed.

Details

The following vulnerabilities were found:

Weak SSL certificates

A total of 13 websites were found to have be operating with an SSL certificate using an intermediary certificate with SHA-1. Of these, 9 were subdomains of eff.org. Of these, 12 have been fixed with stronger certificates and 1 website is no longer operational.

Accidental redirect

1 website was found that redirected to an non-EFF website, due to a change in IP address ownership. This website is no longer operational.

No SSL for sensitive data

1 website under control of a third-party vendor and used for soliciting donations was found not to use SSL. This website is no longer operational.

Unpatched / Vulnerable software

9 websites were using vulnerable older versions of different type of web software, all have been patched.

Credits

Discovered by Yakov Shafranovich in collaboration with the Shaftek Enterprises Security Research Team.

Bounty Information

This discovery qualified for a security bounty under the terms of the EFF Security Vulnerability Disclosure Program.

Timeline

2015–12–03: Vendor notified
2015–12–03: Vendor response received
2015–12–17: Bounty received
2016–05–30: Fixes confirmed, public disclosure