Vulnerability Disclosure Policy

Wickr strives to build quality software that delivers on our security promises.  In the event that security defects are found after our software is released, we will act in accordance with this policy to keep customers informed. 

This policy describes how we disclose security-related defects in Wickr software. To report a security defect, please inform us via email at bugbounty@wickr.com

Program Highlights

Wickr has implemented development and testing processes and programs aimed at preventing, detecting and eliminating security-related defects over the entire software lifecycle.  Key elements of our minimization strategy include:

  • Developer training
  • Secure coding guidelines
  • Security peer review process
  • Security test automation
  • Static and dynamic analysis
  • Third party security testing
  • Public and private bug bounty programs

Priorities

In deciding when to disclose an issue, to whom, and how much detail to provide, we balance two important priorities:  customer security and transparency.  Our goal for issue disclosure is to be as open and informative as possible without increasing risk to customers. 

Policy

We will disclose Wickr software security defects that represent Critical, High or Medium risks. Issue severity will be represented using the Common Vulnerability Scoring System version 3.0 (CVSSv3) but may deviate from CVSS if factors not captured in the score exist.

Advisories will not include proof-of-concept code, details, attack steps or methodology that could be used to exploit the issue.

Advisories for all of our products will be published below. 

We will notify Wickr Enterprise customers directly if the issue impacts Wickr Enterprise. If public disclosure of issues impacting Wickr Enterprise would be strictly informational for users of our other products, we may publish the advisory some time after the fix is deployed and/or available.


Advisory: Add Administrator-Related XSS Vulnerabilities in Wickr Pro Administration Console

Published: April 18, 2018

Version: 1.0

Severity

Medium (Wickr Pro)

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Low (Wickr Enterprise)

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Summary:

By submitting a forged request to the Wickr Pro or Wickr Enterprise Administration Console, a Wickr network administrator could store malicious Javascript code in place of certain network properties and execute what is commonly referred to as a stored cross site scripting attack against another administrator for their network.  The flaw was discovered in areas of the console related to the display of network properties that would likely be exploited by adding new administrators to previously tainted networks.

This issue was caused by missing input validation and output encoding in the affected areas.  It was exploitable only by authorized users of the console during a valid login session and could only be used against other authenticated users in the same network.  It has been fixed in the currently deployed and available versions of our products.

Recommendation:

Wickr Enterprise customers should upgrade their messaging backend to version 2.11.3 or later.  This issue has been fixed in currently deployed versions of Wickr Pro and no user action is necessary.

Affected Products: Wickr Pro and Wickr Enterprise Administration Console versions prior to 2.11.3.

Impact: Likelihood of exploitation in Wickr Pro is considered to be low because the most likely case depends on the victim being guided to interact with a tainted network based on a suspicious email from an attacker email address. Likelihood of exploitation in Wickr Enterprise is considered to be very low because Enterprise networks are not multi-tenant.

Source: These issues were privately reported by a security researcher participating in Wickr’s bug bounty program.

Status: FINAL

Fixed in Wickr Pro Administration Console version 2.11.3.

***

Advisory: Use of Third-Party Component in Wickr Pro Administration Console Could Have Lead To DOM-Based XSS

Published: April 18, 2018

Version: 1.0

Severity: Medium

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Summary: If tricked into accessing the Wickr Pro Administration Console via a malicious link, users could have been impacted by a DOM-based XSS vulnerability. This issue was caused by an error in the way that Google Tag Manager, a third-party Javascript library used for new network on-boarding analytics, was integrated with the site.  It has been fixed in the currently deployed version of our product.

Recommendation: None. The issue is fixed in the currently deployed version of the product.

Affected Products: Wickr Pro Administration Console versions prior to 2.11.0.

Impact: If exploited, worst case impacts include loading malware and stealing login credentials.  Likelihood of exploitation is considered to be low since the victim would need to access the console via a link sent in a suspicious email or other unsolicited message.

Source: These issues were privately reported by a security researcher participating in Wickr’s bug bounty program.

Status: FINAL

Fixed in Wickr Pro Administration Console version 2.11.0.

***

Advisory: Vulnerability in Wickr Pro Administration Console Could Allow Admins to View Billing Information For Other Networks

Published: April 10, 2018

Version: 1.0

Severity: Medium

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/CR:H/IR:M/AR:L/MAV:N

Summary: By submitting a forged request to the Wickr Pro Administration Console, a Wickr network administrator could download a billing statement associated with another network.

This issue was caused by a missing authorization check in the download statement console function to ensure that the requested statement/invoice belonged to the logged in user.  It was exploitable only by authorized users of the console during a valid login session.  It has been fixed in the currently deployed version of our product.

Recommendation: None. The issue is fixed in the currently deployed version of the product.

Affected Products: Wickr Pro Administration Console versions prior to 2.9.27

Impact: If exploited, this issue could have exposed limited Wickr customer billing information to include the following data fields.

1. The ’Bill To’ name and address on the invoice.

2. The amount of the invoice.

Financial account information such as credit card numbers, expiration dates, etc. was not at risk as this information does not appear on downloaded statements.

Source: This issue was privately reported by a security researcher participating in Wickr’s bug bounty program.

Status: FINAL

Fixed in Wickr Pro Administration Console version 2.9.27.

***

Advisory: SQL injection flaw in Wickr messaging backend

Published: April 10, 2018

Version: 1.0

Severity: High

CVSS Base 8.6 (High) | Temporal 7.5 (High) | Environmental 6.5 (Medium) Vector String CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H/E:U/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:N/MUI:N/MS:C/MC:L/MI:L/MA:H

Summary: By submitting a forged request to a Wickr Pro, Wickr Enterprise or Wickr Me messaging server, an attacker could execute arbitrary queries on the application database and access data in excess of their authority.

This issue was caused by insufficient validation of user-entered input in a messaging-related API function. It has been fixed in the currently deployed and available versions of our products.

Recommendation: Wickr Enterprise customers should upgrade their messaging backend to version 2.10.17d or later.  This issue has been fixed in currently deployed versions of Wickr Pro and Wickr Me and no user action is necessary.

Affected Products: Wickr Pro, Wickr Enterprise, Wickr Me messaging server versions prior to 2.10.17d.

Impact: By exploiting this vulnerability, a skilled attacker could potentially access, alter or destroy information in the Wickr application database.  Wickr’s security architecture is largely assumptive of back end server compromise, so critical data in the database related to message security is either private and stored encrypted (i.e, requiring significant brute forcing to access) or public and protected via client-side integrity checking.  More practical attacks to exploit this issue would likely focus on recovery of metadata (e.g., Pro/Enterprise usernames, network names, logs) and/or denial of service (e.g., data deletion).  These factors are captured in CVSS Environmental metrics indicated above. See the White Paper "The Untrusted Server" here.

Source: This issue was privately reported by a security researcher participating in Wickr’s bug bounty program.

Status: FINAL

Fixed in Wickr Pro, Wickr Enterprise and Wickr Me messaging backend version 2.10.17d.