Gaana, one of the top music streaming services catering mainly to users in India, was temporarily taken offline today and the passwords of all its users reset due to a data breach. The announcement from its official Twitter feed, verbatim:
Local reports identified the culprit to be a Pakistan-based hacker named Mak Man, who posted a searchable archive of Gaana’s stored data online, revealing not only the login details of users, but also their passwords and personal information such as nicknames, date of birth, email addresses and social media profiles. Through the use of an SQL injection-based exploit, Mak Man was able to break into Gaana’s database and take the customer information, along with screenshots of the service admin panel.
Gaana and Mak Man did confirm that the leaked passwords were ‘salted’, meaning that they require another program to translate them into plain text. In short, the leaked passwords are useless.
While this in itself seems to be an open-and-shut case as far as data breaches are concerned—a big company being attacked by a threat actor through security flaws in its own applications—further reading revealed more details about this incident.
In an update posted on Gaana’s own Twitter feed, it was revealed that Mak Man, the culprit of the data breach, actually reported the vulnerability he used to break into the streaming service’s database BEFORE posting the offending screenshots.
It was only after Gaana failed to take action that Mak Man published the info dump and the screenshots, most likely in an attempt to force the streaming service to do something about the vulnerability.
While not exactly commonplace, security researchers getting frustrated at the lack of response to their reported findings and doing something drastic to enact change isn’t new. It's similar to a recent incident that involved a security researcher allegedly hacking into a plane’s flight systems and diverting its flight path—also after the manufacturer didn’t act on his report on the plane’s vulnerabilities. This resulted in the researcher being arrested upon landing.
Should security researchers have to do this? To exploit the same vulnerability they discovered and first reported, just to get the company or organization involved to move to resolve it? Trend Micro doesn’t think so. Of course, revealing stored personal information stolen from a company’s database is not quite the same as hacking a plane and potentially endangering all the lives on board. While it did bring attention to those vulnerabilities—and in Gaana’s case, pushed them to act—doing so only works against the security industry’s efforts.
First off, it puts victims at risk—the same victims that these security researchers are trying to protect by reporting the vulnerability. In the case with Gaana, the photos with the users’ personal information were posted online, on a public website. While Mak Man did take the website down, any cybercriminal who was alerted of the attack could have easily saved the screenshots for his own malicious purposes.
What should have been done, then, considering that these security researchers did in fact approach those responsible for the vulnerability, but was ignored? Trend Micro argues that they could have revealed their findings to local tech media outlets first, but only after all efforts to work with the affected entities proved fruitless, and only after he’s offered solutions.
Contacting local tech media about the vulnerability can draw public attention to the matter without exposing them to the vulnerability’s effects. It also gives its customers the power to compel the company to take action.
In the same token, companies that deal with online technology should also take vulnerability reports seriously and in a much more timely fashion. While this doesn't mean that companies should drop everything to address every vulnerability report, they should at least have a team that can deal with such incidents quickly and concisely, without affecting uptime.
Ignoring or delaying something as serious as an extant vulnerability won’t make it go away, especially in the two cases mentioned above that could have potentially ballooned into something much worse. Investing in security solutions that offer vulnerability shielding is also essential in this situation, to prevent this from happening again.
Gaana should still be commended on their prompt mass-password reset once the news broke out. Sure, it had to take them a data breach to get moving, but better late than never.
As for end-users, while it’s impossible for anyone to predict which company’s product will have dangerous vulnerabilities (or when they’ll have a data breach), immediate action with password changes after a data breach is always recommended. For those affected by this specific attack, make sure to not only change your Gaana account password, but also the passwords of your social media and email accounts. If you reuse your specific Gaana account password for anything else, make sure to change that too.
And if you spot a vulnerability being reported by an independent security researcher and it’s not being addressed publically by the company involved, notify them personally (especially if you’re a customer). As a user, you have more power to influence things than you think.
Looking for vulnerabilities and reporting them to the parties concerned is always a noble endeavor, and should always be encouraged—but irresponsible vulnerability reporting and handling is something that needs to be addressed.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.