February 28, 2018

A Few EdgeCast Notes

Note: Verizon Media is now known as Yahoo.

Paranoids logo

Re: EdgeCast, after H1-5411

Thanks to everyone who spent their time hacking on EdgeCast Customers at H1-5411, we have confirmed a number of issues are related to a single underlying design that will need to be updated. Reports sent in during the event were awarded the normal bounty amount, however we will be taking a modified approach for the following vulnerability types on all EdgeCast assets.

Our product team is working on this issue, but it is not a simple fix; this will take a while to fix the right way.

Normally these issues would span a range of values from $750 to $5,000. While we work on the underlying issue, any newly identified vulnerabilities that are identified to be associated with this work will be awarded a flat $750 regardless of the severity. 

  • Insecure Direct Object Reference
  • Privilege Escalation (Horizontal and Vertical)
  • Authorization Bypass

CSRF should not be reported, it is a known issue that we are currently working on resolving (previously posted and can be viewed on the Program Updates blog). 

These details will be attached to the assets in a shortened format, and will apply for all reports posted after 10/8/2018.

Re: EdgeCast Duplicate Reports

From the compliance audit customer communications:

Risk Management and Internal Audit Verizon has a formally documented risk assessment and internal audit procedures that comply with ISO/IEC 27001:2013. In the event of any findings, Corrective Action Reports are generated and a formal ISO Risk Assessment procedure is employed, as directed by corporate policy. ISO Risk Assessments are also performed annually for SOC 2, PCI DSS and ISO/IEC 27001:2013 compliance, including vulnerability and penetration testing.

You may not be aware, but the VDMS products undergo annual penetration testing for ISO 27001 certification. If you file a report that has been given to us by one of our penetration testing services (internal or external) the report will be closed as Informative or as a Duplicate, depending on if you are the first on the HackerOne platform to submit it. We will try to provide clarity when this occurs, but cannot guarantee transparency. If this happens, you will get a note that looks similar to:

Thank you for reporting this issue, however we have already been alerted to the presence of this vulnerability or exploit as part of our normal penetration testing engagements. If you have additional locations where this exploit can execute, please include them as we may not be aware of all locations; in the event you have found a new location, we will be happy to award a partial bounty.

Please continue testing the VDMS assets that are included in scope at present. You have found some excellent vulnerabilities so far and we look forward to more.

Happy Hacking,

The Paranoids