In the world of cybersecurity, the safeguarding of sensitive data and the protection of users’ privacy are of paramount importance. Companies that offer Software as a Service (SaaS) are entrusted with the responsibility of maintaining robust security practices to prevent unauthorized access and potential breaches. Unfortunately, one such SaaS provider, WebBoss.io, has fallen short of these expectations. The company’s repeated lack of transparency regarding disclosed vulnerabilities raises serious concerns about their commitment to user safety and the protection of sensitive data.
As an independent researcher, I recently foundmyself revisitng a vendor one year on. To my surprise, there was more to find, more to disclose, highlighting serious flaws that could jeopardize user data and the overall integrity of the system. The vulnerabilities reported included Reflected XSS, Insecure Direct Object Reference (IDOR), and other critical issues. However, instead of promptly addressing these concerns, WebBoss.io’s response was lackluster and ineffective, raising significant questions about their commitment to cybersecurity.
Critical Vulnerabilities Left Unresolved
Among the vulnerabilities disclosed, the most alarming was the Critical Insecure Direct Object Reference (IDOR) vulnerability (CVE-2023–36339), which took the SaaS provider 59 days to address. Despite the severity of this issue, WebBoss.io failed to provide a specific date for the patch, and no mitigation measures were ever taken to protect users until the remediation process was complete, 59 days later. This flaw allows attackers to access the Website Backup Tool via a crafted GET request, leading to unauthorized access and data breaches.
Rewind back to 2022, I responsibly disclosed security vulnerabilities to WebBoss.io, as part of my commitment to improving cybersecurity across the digital landscape. These disclosures included issues, such as Reflected XSS (CVE-2023–37742), that could potentially allow attackers to execute malicious code on users’ browsers. While WebBoss.io reportedly applied a “Security Hotfix” to address the vulnerabilities, they failed to inform their customers about the specific issues, hindering users’ understanding of the urgency and importance of updating their systems, and most importantly they did not apply an adequate patch as vulnerable vectors (including the exact same one) were eveidently still present one year on. This worrisome sign, and the fact that a plethora of security issues were again identified suggests that WebBoss.io fails to perform its own security testing /assessments— either by 3rd party or otherwise, which is a crucial and essential practice for any reputable and compliant organization, particularly in today’s digital era where cyber threats and attacks are progressively more sophisticated and widespread.
Negligent Response and Transparency Lacking
In 2023, throughout the entire disclosure process, WebBoss.io exhibited a negligent response to the reported vulnerabilities. Their communication was often dismissive and failed to provide concrete timelines for fixes. The lack of transparency was evident when the company claimed to have notified all customers about the patches, but I did not receive such notification, despite being signed up to their platforn, only after I raised this with them in a ticket did the email arrive.. many hours later.. Additionally, the inital changelog released by WebBoss.io failed to mention the CVE IDs for the recently disclosed vulnerabilities, hindering transparency and accountability.
Important Of Transparency
Transparent communication is not merely a courtesy; it is a crucial aspect of security responsibility. When companies withhold critical information about vulnerabilities and security updates, they leave their users at risk. Without clear information, users may not recognize the severity of the situation or the urgency of applying patches. This lack of transparency undermines the trust users place in the company’s commitment to their security.
Disregard for Industry Best Practices
During my correspondence with WebBoss.io I highlighted several best practices and industry standards that WebBoss.io had evidently been disregarded, including vulnerability management, incident response and monitoring, customer notification, security assessments, and data privacy and protection. Neglecting these essential security measures raises serious concerns about WebBoss.io’s commitment to safeguarding their customers’ data and complying with relevant data protection regulations.
A Terrible Attempt Of Silencing The Situation
WebBoss.io malicously accused me of blackmail and involved the police, but the authorities swiftly dismissed the claim. I want to clarify that I never had any ulterior motive, nor did I make any demands. I simply told them if a patch was not released within 28 days, I would proceed with public disclosure.
Protecting User Data Should be Paramount
As a SaaS provider, WebBoss.io holds sensitive user data, which should makes security a top priority. However, their repeated lack of transparency raises questions about their dedication to protecting user data. Adequate disclosure of security vulnerabilities empowers users to take appropriate action, ensures they are aware of potential risks, and fosters a sense of trust between users and the company.
This lack of response and transparency from WebBoss.io is once-again both concerning and in direct contradiction to the principles of transparency and accountability that are integral to ISO 27001 certification that they boast on there website.
I must emphasize that ISO 27001 signifies adherence to stringent information security management standards, regulations, and best practices. My analysis has revealed evident, documented deviations from these requirements, which raises serious concerns about regulatory compliance and the security posture of the system involved and it’s users.
The handling of security disclosures by WebBoss.io has been riddled with negligence, unresponsiveness, and a lack of transparency. The delayed response to critical vulnerabilities and the failure to prioritize user data protection reveal a disconcerting lack of commitment to cybersecurity best practices.
As a responsible security researcher, I made every effort to highlight these vulnerabilities and prompt WebBoss.io to take appropriate action as swiftly as possible. Regrettably, the company’s response and handling has been inadequate, prompting me to seek public disclosure. This unfortunate situation could have been avoided had WebBoss.io demonstrated a more proactive approach to security, conducted their own due-dillegence and promptly addressed the reported vulnerabilities, or at they very least provide dates for patches.
As users of WebBoss.io’s SaaS services, it is essential to be vigilant and take precautionary measures to protect sensitive data when using this sytem. Customers should urge the company to prioritize security measures and demand transparency regarding the implementation of patches and future security enhancements.
Depending on your use-case for WebBoss.io’s CMS, It may be suggested to replace the affected object with an alternative, robust and transparent product.
As earilier stipulated, and well recognized, In the world of cyber, the protection of user data should be paramount. Sadly, WebBoss.io’s handling of security disclosures raises significant doubts about their commitment to ensuring the safety and privacy oUpdated 6th Aug 2023 — added more context.f their users.
Updated 6th Aug 2023 — added more context.
I reached out to webboss for comment, allowing them the opportunity to have their say, but have yet to recevive any response.
Check out our new Discord Cyber Awareness Server. Stay informed with CVE Alerts, Cybersecurity News & More!
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.