Vulnerability Lab security researchers claim that Wickr Inc., the company behind encrypted messaging service Wickr, hasn’t paid promised bounties for multiple vulnerabilities disclosed years ago, although the company did patch all of them.
The security researchers claim to have discovered nearly two dozen bugs in the Wickr software between 2013 and 2014 and to have disclosed 7 of them to the company in 2014, after Wickr launched an official bug bounty program in the beginning of that year. However, they haven’t received a reward for their effort so far.
After performing an audit of the Wickr’s Windows and mobile applications (Android and iOS), Vulnerability Lab researchers discovered flaws in multiple software modules, thus impacting both desktop and mobile users. These included Remote Denial of Service, Audio Memo Function Surveillance, Online-Offline Mode Messenger Exception Privacy, Auth Bypass, a Blocklist Issue, Input to Define Vulnerability, and a Local Copy Message Context Issue, among others.
The most important of these vulnerabilities is considered high risk, with a CVSS score of 7.0. Other vulnerabilities feature CVSS scores of 5.9, 5.3, 4.6, 3.3, and 2.8.
The Denial of Service flaw, the researchers say, could allow local and remote attackers to crash or shutdown the software client by using specially crafted symbol strings as password or name. The bug, the researchers reveal, resides in charset validation of the parse mechanism not being able to interpret the character submitted via form to the database management system.
The vulnerable modules include friend contacts, Wickr password auth, and friends, while the vulnerable inputs are add friends (name), Wickr password auth, and change friend (update name). The faulty parameters are name and password, while affected libraries include qsqlcipher_wickr.dll and CFLite.dll, the security researchers explain. The issue was found in Wickr v2.2.1 for Windows.
The Blocklist Issue on Update bug was found in the official Wickr v2.3.3 iOS mobile application and could allow a local attacker with a privileged account to invisibly block accounts in multi-device setups. A third vulnerability could allow a local attacker to bypass the login and access sensitive content in the application.
A bug in both Android and iOS apps allows a local attacker to remotely exploit the vulnerable audio memos function of another user account, while an issue with the iOS app could be exploited to access restricted information inside the application context. The researchers discovered a flaw in the iOS app that could allow local attackers to bypass the software/server authentication, as well as a vulnerability that could result in the compromise of a local account by resetting the never lock mechanism.
The security researchers note that they disclosed all of these issues to Wickr via its official contact, but that internal changes within the company resulted in their original reports being lost. Although the reports were considered valid, the new management team claimed to lack access to them and the researchers weren’t rewarded for their work, although the bugs were patched via a series of updates between 2014 and 2015.
As it turns out, other researchers also had issues with the Wickr bug bounty program, and Vulnerability Lab notes that an Israeli security company connected to Wickr behaves exactly the same. The security researchers claim that, although the rewards are noticeable when the bug bounty is reached, the company seems unwilling to pay or recognize their work, despite being interested in receiving information about the remaining 20 bugs found by the team.
SecurityWeek has contacted Wickr for comment, but has not recieved a response as of the time of publishing.
Related: Facebook, Researcher Quarrel Over Instagram Hack
Tags: