Advisory: Multiple Vulnerabilities in EFF websites


Websites belonging to the the Electronic Freedom Foundation (EFF) — an international organization focused on digital rights — contained multiple vulnerabilities and potential security problems. These were reported via EFF’s bug bounty program and were fixed.


The following vulnerabilities were found:

Weak SSL certificates

A total of 13 websites were found to have be operating with an SSL certificate using an intermediary certificate with SHA-1. Of these, 9 were subdomains of Of these, 12 have been fixed with stronger certificates and 1 website is no longer operational.

Accidental redirect

1 website was found that redirected to an non-EFF website, due to a change in IP address ownership. This website is no longer operational.

No SSL for sensitive data

1 website under control of a third-party vendor and used for soliciting donations was found not to use SSL. This website is no longer operational.

Unpatched / Vulnerable software

9 websites were using vulnerable older versions of different type of web software, all have been patched.


Discovered by Yakov Shafranovich in collaboration with the Shaftek Enterprises Security Research Team.

Bounty Information

This discovery qualified for a security bounty under the terms of the EFF Security Vulnerability Disclosure Program.


2015–12–03: Vendor notified
2015–12–03: Vendor response received
2015–12–17: Bounty received
2016–05–30: Fixes confirmed, public disclosure

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.