{"id":52909,"date":"2023-07-24T13:24:09","date_gmt":"2023-07-24T13:24:09","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/34824\/WebBoss.io-CMS-Concerns-A-Tale-Of-Neglect-And-Unresponsiveness.html"},"modified":"2023-07-24T13:24:09","modified_gmt":"2023-07-24T13:24:09","slug":"webboss-io-cms-concerns-a-tale-of-neglect-and-unresponsiveness","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/webboss-io-cms-concerns-a-tale-of-neglect-and-unresponsiveness\/","title":{"rendered":"WebBoss.io CMS Concerns: A Tale Of Neglect And Unresponsiveness"},"content":{"rendered":"

In the world of cybersecurity, the safeguarding of sensitive data and the protection of users\u2019 privacy are of paramount importance. Companies that offer Software as a Service (SaaS) are entrusted with the responsibility of maintaining robust security practices to prevent unauthorized access and potential breaches. Unfortunately, one such SaaS provider, WebBoss.io, has fallen short of these expectations. The company\u2019s repeated lack of transparency regarding disclosed vulnerabilities raises serious concerns about their commitment to user safety and the protection of sensitive data.<\/p>\n

As an independent researcher, I recently foundmyself revisitng a vendor one year on. To my surprise, there was more to find, more to disclose, highlighting serious flaws that could jeopardize user data and the overall integrity of the system. The vulnerabilities reported included Reflected XSS, Insecure Direct Object Reference (IDOR), and other critical issues. However, instead of promptly addressing these concerns, WebBoss.io\u2019s response was lackluster and ineffective, raising significant questions about their commitment to cybersecurity.<\/p>\n

<\/span>Critical Vulnerabilities Left Unresolved<\/span><\/h3>\n

Among the vulnerabilities disclosed, the most alarming was the Critical Insecure Direct Object Reference (IDOR) vulnerability (CVE-2023\u201336339<\/a>), which took the SaaS provider 59 days to address. Despite the severity of this issue, WebBoss.io failed to provide a specific date for the patch, and no mitigation measures were ever taken to protect users until the remediation process was complete, 59 days later. This flaw allows attackers to access the Website Backup Tool via a crafted GET request, leading to unauthorized access and data breaches.<\/p>\n

<\/span>Further Context<\/span><\/h3>\n

Rewind back to 2022, I responsibly disclosed security vulnerabilities to WebBoss.io, as part of my commitment to improving cybersecurity across the digital landscape. These disclosures included issues, such as Reflected XSS (CVE-2023\u201337742<\/a>), that could potentially allow attackers to execute malicious code on users\u2019 browsers. While WebBoss.io reportedly applied a \u201cSecurity Hotfix\u201d to address the vulnerabilities, they failed to inform their customers about the specific issues, hindering users\u2019 understanding of the urgency and importance of updating their systems, and most importantly they did not apply an adequate patch <\/strong>as vulnerable vectors (including the exact same one) were eveidently still present one year on. This worrisome sign, and the fact that a plethora of security issues were again identified suggests that WebBoss.io fails to perform its own security testing\u200a\/assessments\u2014\u200aeither by 3rd party or otherwise, which is a crucial and essential practice for any reputable and compliant organization, particularly in today\u2019s digital era where cyber threats and attacks are progressively more sophisticated and widespread.<\/p>\n

<\/span>Negligent Response and Transparency Lacking<\/span><\/h3>\n

In 2023, throughout the entire disclosure process, WebBoss.io exhibited a negligent response to the reported vulnerabilities. Their communication was often dismissive and failed to provide concrete timelines for fixes. The lack of transparency was evident when the company claimed to have notified all customers about the patches, but I did not receive such notification, despite being signed up to their platforn, only after I raised this with them in a ticket did the email arrive.. many hours later.. Additionally, the inital changelog released by WebBoss.io failed to mention the CVE IDs for the recently disclosed vulnerabilities, hindering transparency and accountability.<\/p>\n

<\/span>Important Of Transparency<\/span><\/h3>\n

Transparent communication is not merely a courtesy; it is a crucial aspect of security responsibility. When companies withhold critical information about vulnerabilities and security updates, they leave their users at risk. Without clear information, users may not recognize the severity of the situation or the urgency of applying patches. This lack of transparency undermines the trust users place in the company\u2019s commitment to their security.<\/p>\n

<\/span>Disregard for Industry Best Practices<\/span><\/h3>\n

During my correspondence with WebBoss.io I highlighted several best practices and industry standards that WebBoss.io had evidently been disregarded, including vulnerability management, incident response and monitoring, customer notification, security assessments, and data privacy and protection. Neglecting these essential security measures raises serious concerns about WebBoss.io\u2019s commitment to safeguarding their customers\u2019 data and complying with relevant data protection regulations.<\/p>\n

<\/span>A Terrible Attempt Of Silencing The Situation<\/span><\/h3>\n

WebBoss.io malicously accused me of blackmail and involved the police, but the authorities swiftly dismissed the claim. I want to clarify that I never had any ulterior motive, nor did I make any demands. I simply told them if a patch was not released within 28 days, I would proceed with public disclosure.<\/p>\n

<\/span>Protecting User Data Should be Paramount<\/span><\/h3>\n

As a SaaS provider, WebBoss.io holds sensitive user data, which should makes security a top priority. However, their repeated lack of transparency raises questions about their dedication to protecting user data. Adequate disclosure of security vulnerabilities empowers users to take appropriate action, ensures they are aware of potential risks, and fosters a sense of trust between users and the company.<\/p>\n

\n
\"webboss