Some weeks ago, a group of researchers disclosed a vulnerability that they had found on Ford’s website. The vulnerability, CVE-2021-27653, stemmed from a misconfigured instance of Pega Infinity customer engagement system running on Ford’s servers. According to the researcher group, if an attacker were to exploit the discovered vulnerability, the attacker could access internal company info, databases and take over accounts.
The bug was first discovered by Robert Willis, a white hat security researcher at Sakura Samurai, who explained his founding in a blog post and later involved more white hat hackers.
The vulnerability is rated as a medium security risk, as described:
“Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 – 8.5.x could lead to unintended data exposure.”
According to Willis, in the case of an exploit an adversary could easily access customers’ and employees’ personal data and sensitive company documents, which indeed could have been devastating for Ford.
However, the researchers reached out to the Pega in February 2021, who quickly fixed the CVE in their chat portal. Around the same time, they also reported the issue to Ford via HackerOne, a vulnerability disclosure program. Ford though, did not respond as quickly. According to the researcher group Ford’s communication concerning the issue faded as the responsible disclosure timeline progressed. The researchers heard back from HackerOne only after tweeting about the flaw, but without giving out any sensitive details. And when the vulnerability was marked as resolved, Ford ignored their disclosure request, and HackerOne ignored their request for help disclosing.
“We had to wait the full six months to force disclose per HackerOne’s policy out of fear of the law and negative repercussions,” according to John Jackson, one of the white hat hackers in the research group.
After six month, Ford’s vulnerability disclosure program (at HackerOne) does not offer any compensation or “bug bounties”, so a coordinated disclosure in light of public interest was the only “reward” the researcher group were hoping for.
But Ford have not commented on the specific security-related actions, and their gratitude to the researcher group is expressed accordingly:
“The findings you submitted… are considered private. These vulnerability reports are intended to prevent compromises which may require disclosure.”
Written by Joakim Rosell