About a month ago, like any other morning, I woke up and while still in bed I checked my phone. But unlike other mornings, I had a flood emails from Exceptional about un-handled exceptions in Factor.io. It was clear to me that an intruder was looking for security vulnerabilities.
Luckily this was a white-hat hacker. He later got in touch with me and reported his findings. While there were a few functional bugs as well as some “best practices” we didn’t adhere too, there was only one bug that really should have been fixed. Since we fixed the bug, I sent him a t-shirt.
About a week ago I saw the picture of this white-hat hacker on Facebook wearing the t-shirt. I think this was the first step in unleashing the fury of hackers.
A number of other white-hat hackers saw the opportunity for a free t-shirt and social credit, so they too started hacking away. I got another flood of 20 reports.
One of those hackers suggested I setup an account with HackerOne, which I did as it makes managing bugs and relationships much easier.
I failed to realize that once the Factor.io profile would go live on HackerOne, that a ton of hackers would start hacking away on Factor.io. And surely they did. Over the weekend over 200 new accounts were created.
- Two different HTML injection vulnerabilities, though neither had a clear security impact. In both cases a user was able to enter values that would later render the injected HTML on the client. In both cases the user could only attack their own account.
- A few functional bugs were identified too. For example, the password recovery screen after a user is locked out had a functional bug.
- Lastly, there were a few decent “best practices” recommendations.
- I can now say that Factor.io has been sufficiently pen tested.
- There were about 150 issues reported total. Of those 150, only about 5 of them warranted a fix. Another 5 or so were practices that probably should be fixed, but didn’t have any direct security implications. As a result, I had to spend a few days already just managing the weak bugs and not having enough time to work on the higher quality ones.
- One hacker resorted to name calling because I didn’t accept his bug for the bounty.
- Another wrote “…please make this public so that other security researchers can have a look at it and know your poor security skills." My retort was "Please don’t be rude”. I had to practice being humble, despite having managed major security initiatives at Microsoft impacting hundreds of thousands of people and millions (if not billions) of dollars.
- Even though DOS attacks were out of scope for the bounty, there were numerous DOS attacks that took place. As a result, Factor.io did experience a total of 3 hours of downtime over the past few days. Furthermore we had to spend extra money to up our email server plan as we reached our mail limit.