- The Washington Times - Thursday, December 17, 2015

The CEO of a dating app for people with HIV has rejected claims that a researcher was threatened with the potentially deadly virus after disclosing a serious security flaw that compromised the details of thousands of users — but admits he’s willing to take legal action against the website that reported the breach.

A misconfigured database recently allowed security experts to access sensitive details, including names, messages and pictures pertaining to thousands of users of Hzone, a smartphone app aimed at connecting singles who are HIV-positive.

Yet when the website DataBreaches.net approached Hzone about the issue earlier this month, a response from the app’s support team suggested the news was taken none too kindly.

“I believe your illegal and stupid behavior will be notified by our HIV users and you and your concerns will be revenged by all of us. I suppose you and your family members don’t want to get HIV from us? If you do, go ahead,” the administrator of the data breach site, a privacy advocate and mental health professional who uses the alias “Dissent,” said she received in an emailed from Hzone last week.

After The Washington Times published on Wednesday an article concerning the security compromise and the subsequent exchange, Hzone CEO Justin Robert sent an email rejecting allegations that anyone had threatened the researcher with HIV.

“That is not true” he said of the claim.


SEE ALSO: Lawmakers line up to complain about last-minute inclusion of cyber bill CISA in omnibus


“Hzone is very small at the moment. However, we still reserve the right to a lawsuit to Databreaches.com [sic] for this makeup,” Mr. Robert told the Times.

Dissent from DataBreaches told The Times on Thursday that she wasn’t concerned with the possibility of “a dumb-ass lawsuit,” and said she’d consider legal action of her own to address the fact that extremely personal details pertaining to some 5,027 accounts had been inadvertently made public as a result of the dating app’s misconfigured database.

“For my part, I may file a formal complaint against them with the Federal Trade Commission because they stored sensitive information in clear text and their incident response was deplorable, leaving their users at risk of substantial injury,” she told the Times.

But with litigation being an all too common reaction witnessed by security researchers wanting to reveal vulnerabilities, the risk of dealing with legal drama is enough for some to say they’ve avoided disclosure altogether.

“A large national phone company never found out how their switches were vulnerable because of the timing of my initial FBI case,” said Adrian Lamo, the computer hacker who was pursued by the Justice Department over a decade ago for a series of intrusions he had accomplished on the computer servers of companies including The New York Times, Yahoo! and Microsoft, among others.

Mr. Lamo, 34, told the Times he’s “inadvertently noticed plenty of possible security issues” since his case was resolved, but has elected to keep them to himself in lieu of going public.

“It’s not worth the risk to help someone out, not knowing if you’ll face thanks or court for your troubles. If companies want to shun public assistance, they should damn well be held more responsible for their inevitable and prolific failures than ones that do the responsible thing and offer bug bounties,” Mr. Lamo said.

“It’s not like researchers are going to stop noticing bugs. They’ll just keep their own counsel on them. And I know plenty of people — a majority — with the same mindset, thanks to the prioritization of ego over security that many companies seem to engage in.”

Hzone said in a statement this week that it was thankful DataBreaches had reported what the company described as a “hack attempt” and that it responded by “immediately” implementing strong security measures.

That site’s administrator said such wasn’t the case, however, and that it took Hzone five days to get back to her after she made multiple attempts to alert the app starting December 8 after learning from an independent security researcher, Chris Vickery, that private user data had become publicly accessible.

“Hzone did not reply at all until after I emailed them on Dec. 12 to say I would be publishing a report on the leak on December 14 and I had some questions for them,” the DataBreaches admin said Thursday. A day before that article was slated to appear, Dissent said she received an email from Mr. Robert “threatening me with HIV infection, and then accusing me of all kinds of crap.”

“Somewhere in the middle of that bizarre exchange, he claimed, ‘We have already secured our users’ database,’” she recalled, prompting her to reach out against to Mr. Vickery. Not only hadn’t Hzone fixed the issue, Dissent said she learned, but another app run by the same company was similarly leaking user data.

“DataBreaches.net went above and beyond to get Hzone to respond to a leak that could have serious consequences for its users. For them to make such accusations or threaten litigation, well, good luck to them with that,” she said.

Facebook’s chief security officer, Alex Stamos, said Thursday that the social networking site has paid out over $4.3 million to researchers over the last few years through its own “bug bounty” program, adding that while “early steps towards a future of better cooperation between security researchers and big companies are encouraging,” he was concerned that the situation was still a fragile one that could lend to researchers more regularly receiving “overblown criminal charges.”

Mr. Roberts did not immediately respond to a request from the Times in which he was asked to explain his rationale for potentially suing the website, but in a statement said that the company would take action against an unidentified “group of hackers” he blamed for breaching the app.

“We firmly believe that any attempt to steal any sort of information is a despicable and immoral act, and reserve the right to sue the involved parties in all relevant courts of law. Our IT team is working on documenting evidence relevant to all steps of the security breach attempt made by the hackers,” he said.

The admin of DataBreaches told the Times that Mr. Roberts had previously accused her of downloading the data and making changes to the database — an allegation she refutes.

“If he’s still claiming I did, then let him produce logs to show that. If I were litigious, I’d point out to him that such statements on his part could subject him and Hzone to a defamation suit,” she said.

LOAD COMMENTS ()

 

Click to Read More

Click to Hide