There's a new bug bounty provider in town! The Belgian company Intigriti. This is a quick write-up of how I found a trivial bug in their own system.
The EU has announced that it is providing funding for bug bounties on critical open source projects. They've split the programme between HackerOne and Intigriti.
I signed up to Intigriti, and instantly received a confirmation email.
Can you guess where you go if you click the big "Activate Account" button?
I think that's the first time I've ever seen a
.lu domain in the wild. Hardly surprising as there's fewer than 90,000 of them.
This looks like a phishing URl. It doesn't use https, it's a random string of gibberish characters, and an obscure domain.
It is happens, the site is legitimate. MailJet - an email marketing firm - use it as a redirector. I assume that Intigriti use them as a mailing service, and want to track every single click you make on their emails.
Why are their statistics more important than your privacy and security?
Why is this bad?
Links to http sites are not secure. That means your visit to that URl can be seen by your ISP and anyone else between you and your destination.
A user clicking on that insecure URl risks having their request intercepted. While an attacker can't log in using the data they've captured, they would be able to redirect the user and phish their details.
Why use a 3rd party?
Basically, if Mailjet gets hacked, or goes rogue, they can start phishing all of Intigriti's customers.
Thankfully, Intigriti had the good sense to not use this tracking on their password reset emails. Indeed, I must commend them on their general security, and their swift responsiveness to this minor security issue.
PLEASE STOP TRACKING EVERY LINK IN YOUR EMAILS!
Or, if you really have to - make sure your tracking server supports https, is controlled by you, and doesn't have a daft domain name.
- 2018-12-31 - responsibly disclosed.
- A few hours later - confirmed fixed and bounty offered. Filled in my IBAN details.
- 2019-01-02 - £90 deposited in my account.
- 2019-01-04 - permission given to publish.