We have reported the vulnerabilities described in our paper to websites and system developers. The contact was made through public / private bug bounty programs, email and contact forms. In our paper, due to ethic considerations, we did not mention specific names of vulnerable websites and systems that did not manage to fix the vulnerabilities we reported, or did not send a response. On this page we bring responses of vendors that we are able to publish (the page will be updated when more vulnerable vendors will patch the vulnerability).
Websites
Out of 25 vulnerable websites to which we sent a report, we currently can bring only the response of Reddit and Zillow.
Reddit’s security team confirmed the vulnerability and fixed it by adding anti-CSRF token to the login interface.
Zillow's security team plan to implement a solution that will help mitigate the security risks of the attack.
Reddit’s security team confirmed the vulnerability and fixed it by adding anti-CSRF token to the login interface.
Zillow's security team plan to implement a solution that will help mitigate the security risks of the attack.
CMS
We contacted Wordpress, Wordfence and Drupal, all confirmed our findings that make their systems vulnerable to XS Challenge-Response attacks.
Wordpress said that individual websites should decide how to implement security solutions, by using plugins, firewall rules or monitoring systems.
Wordfence, which is just such a security plugin approved that they will block the vulnerabilities, discussing possible solution such as CAPTCHA or account lockout in order to fix the vulnerability.
All In One WP Security, the second largest Wordpress security plugin also considers to fix the issue.
Drupal confirmed the vulnerability, and told us that future, possibly public discussions should be done in order to find a decent mitigation (that will not hurt user experience and performance).
Wordpress said that individual websites should decide how to implement security solutions, by using plugins, firewall rules or monitoring systems.
Wordfence, which is just such a security plugin approved that they will block the vulnerabilities, discussing possible solution such as CAPTCHA or account lockout in order to fix the vulnerability.
All In One WP Security, the second largest Wordpress security plugin also considers to fix the issue.
Drupal confirmed the vulnerability, and told us that future, possibly public discussions should be done in order to find a decent mitigation (that will not hurt user experience and performance).
IoT
Currently we can bring only two responses from IoT or Router vendors.
The CCTV manufacturer Hikvision is taking this threat seriously and confirmed the vulnerability. However, they mentioned that their new devices are not vulnerable to XS Challenge-Response attacks, as they changed their design to face general CSRF attacks. Yet, old models cannot be remotely patched and updated, and are still vulnerable to the attacks.
The CCTV manufacturer Foscam is examining the protection mechanisms described in our paper in order to fix the login interfaces of CCTV devices.
The CCTV manufacturer Hikvision is taking this threat seriously and confirmed the vulnerability. However, they mentioned that their new devices are not vulnerable to XS Challenge-Response attacks, as they changed their design to face general CSRF attacks. Yet, old models cannot be remotely patched and updated, and are still vulnerable to the attacks.
The CCTV manufacturer Foscam is examining the protection mechanisms described in our paper in order to fix the login interfaces of CCTV devices.