Flippa Security Vulnerability Reported and Fixed
Late last week we were informed of a security vulnerability on Flippa.com. Within hours we’d patched the site to fix the vulnerability, and conducted a thorough audit of security logs. The delay in this post informing you was caused by a legal insurance requirement to fully assess any exposure, which has now been done.
First, and most importantly, no financial details were in any way compromised, we don’t store credit card numbers at all so these are completely safe.
Second, no passwords were compromised, as again, we don’t store these in plaintext so there is no way any Flippa admin can access them.
Our information came from Adam Hosker from a “whitehat” hacker site. Adam is a Flippa.com member from the UK and he says he found the issue in the course of his day-to-day activities on Flippa.
Essentially, Adam was able to log in as another Flippa user. He used that mechanism to log in as an admin user and therefore could access a small range of admin functions:
- Dispute resolution
- Add credits to user accounts
- Promotional credit campaign creation
- Moderate auction comments
- Ability to (un)ban/(un)suspend user
- Spreadsheet of member name/email address pairs
Having fixed the vulnerability, we’ve also conducted a full security audit of the entire Flippa website marketplace system, to ensure that this doesn’t happen again. We’re completely committed to ensuring the safety of our users and the integrity of our system.
Thanks for the update on this issue and for letting everyone know the exact details. As I reported on my blog, I was concerned that private information may have been compromised (i.e. passwords). Good to hear that wasn’t the case. And better yet, good to hear this was fixed immediately and that a full audit was conducted.
Travis
hehe congrats flippa looks like ur one of the big boys now!!
Thanks for the efficient and adult manner in which this case was handled. Over the years I have seen way too many cases where security incidents, real or imagined, were blown all out of proportion and collected all sorts of inane and juvenile comments.
Or even worse, the allegedly affected sites would refuse any comment, thus allowing fife speculation and making a bad situation worse. It’s always better to disclose what the clients need to know and clear the waters before thye get too muddy.
I’m glad you folks are on the job.
* Dispute resolution
* Add credits to user accounts
* Promotional credit campaign creation
* Moderate auction comments
* Ability to (un)ban/(un)suspend user
* Spreadsheet of member name/email address pairs
You missed off “log in as another user”. Adam, and all the other hackers who have hacked into Flippa, could sign in as any Flippa member they wished, no?
Paul, that was the nature of the vulnerability, as I’ve stated in the post: “Adam was able to log in as another Flippa user.” This is the vulnerability which has now been closed.
Dave, Adam logged in as an admin user. Admin users have the ability to log in as any Flippa user they wish. How do you know that Adam didn’t have a snoop around users’ PMs looking for sensitive data?
Shouldn’t your blog post warn Flippa users that if they disclosed logins and passwords via PM, then they should think about changing them? Sometimes sellers PM logon details for their affiliate accounts to interested buyers. Imagine a hacker having access to that data!
That your blog post says Adam signed on as an admin user and then had access to a harmless set of functions doesn’t really explain the danger to your users. That the software vulnerability has now been removed doesn’t explain to your users that the danger caused by the vulnerability is still present.
Dave, I think the big issue unvieled by the security breach is the disclosure that Flippa staff have access to read PMs exchanged between users AND DO READ these private messages. That’s a gross violation of privacy and something the Flippa privacy policy doesn’t disclose.
Can we confirm why you access and read private messages exchanged between registered users, something that, to my knowledge, is done by NO OTHER FORUM?
Would appreciate an answer to that also… ?
Don’t hold your breath, Flippa has already buried this post with a new one in record time.
Are you really asking if admin can read users PM’s Yes they can its stranded when you say NO other forum lets admin read users PM’s your WRONG. EVERY forum software out there has this as stranded there are so many reasons why its needed.
But the fact is if the Admins/Owners have access to the database they can read and see what they want
I think its clear to see why no admins have commented on your questions its because any one with half a brain would never ask such a question