Looking for a security contact at promoclub.bg

Hey guys!

I think I’ve found a security issue with PROMOCLUB.bg (an online store in Bulgaria). I looked for their contact information, found an <[email protected]> email address, sent an email to have their IT Security team contact me, no reply received.

Messaged them on their Facebook page, they’ve seen my message but no response yet, from their side.

Searched for owners/employees on LinkedIn, found their CEO but apparently he’s not active there (has very few connections and no activity)

It has been 4 days now, since I first made contact with them, and I haven’t received any reply from them.

I’d really appreciate any help from the community in this regard.

Thanks! :slight_smile:

1 Like

Hello @shahrukhiqbal24

What is the security issue class? Can you DM me with a POC before I reach out on your behalf?

1 Like

Just DM’ed you @johnjhacking :slight_smile:

Thanks for helping me out.

1 Like

More vulnerabilities have been discovered. We are attempting to contact the individual. So far I’ve reached out on Twitter & LinkedIn. Next step will be CERT if no other contact info is identified.

Update: I’ve made contact with one of the lead developers of the Web Application. Unfortunately, he no longer works on the project but gave me a point of contact for someone that may. I have reached out to them.

2 Likes

We are looking at disclosing to CERT tomorrow.

1 Like

@shahrukhiqbal24 has disclosed to CERT with me on the CC.

1 Like

CERT has acknowledged and registered the report.

Fantastic, let’s ensure that the remediation is followed up on.

1 Like

I would reach out in a couple of days and ask about their intended response and offer a helping hand with additional information. Let me know what happens.

1 Like

I was thinking of sending a follow-up email tomorrow. I’ll keep you in the loop about their response.

1 Like

Sounds good! I’ll check back in.

1 Like

Waiting for CERT’s response on the follow-up email sent yesterday.

1 Like

Fantastic. Great update.

1 Like

No reply on the last follow-up email from the CERT yet.
Sent a second follow-up email just now.

1 Like

Latest update:

  • no reply from the CERT
  • no reply from the promoclub
  • identified and disclosed vulnerabilities patched (and entire web app UI changed)

A huge thank you to you @johnjhacking for your assistance, time and guidance :slightly_smiling_face: couldn’t have done it without you :slightly_smiling_face:

1 Like

No problem at all! Happy to help.

1 Like