Looking for a security contact at promoclub.bg

shahrukhiqbal24 · March 2, 2021, 6:28am

Hey guys!

I think I’ve found a security issue with PROMOCLUB.bg (an online store in Bulgaria). I looked for their contact information, found an <[email protected]> email address, sent an email to have their IT Security team contact me, no reply received.

Messaged them on their Facebook page, they’ve seen my message but no response yet, from their side.

Searched for owners/employees on LinkedIn, found their CEO but apparently he’s not active there (has very few connections and no activity)

It has been 4 days now, since I first made contact with them, and I haven’t received any reply from them.

I’d really appreciate any help from the community in this regard.

Thanks!

johnjhacking · March 3, 2021, 2:06am

Hello @shahrukhiqbal24

What is the security issue class? Can you DM me with a POC before I reach out on your behalf?

shahrukhiqbal24 · March 3, 2021, 4:17am

Just DM’ed you @johnjhacking

Thanks for helping me out.

johnjhacking · March 3, 2021, 5:05am

More vulnerabilities have been discovered. We are attempting to contact the individual. So far I’ve reached out on Twitter & LinkedIn. Next step will be CERT if no other contact info is identified.

Update: I’ve made contact with one of the lead developers of the Web Application. Unfortunately, he no longer works on the project but gave me a point of contact for someone that may. I have reached out to them.

johnjhacking · March 9, 2021, 12:47am

We are looking at disclosing to CERT tomorrow.

johnjhacking · March 12, 2021, 9:43am

@shahrukhiqbal24 has disclosed to CERT with me on the CC.

shahrukhiqbal24 · March 12, 2021, 4:39pm

CERT has acknowledged and registered the report.

johnjhacking · March 12, 2021, 6:12pm

Fantastic, let’s ensure that the remediation is followed up on.

johnjhacking · March 16, 2021, 2:26pm

I would reach out in a couple of days and ask about their intended response and offer a helping hand with additional information. Let me know what happens.

shahrukhiqbal24 · March 16, 2021, 2:43pm

I was thinking of sending a follow-up email tomorrow. I’ll keep you in the loop about their response.

johnjhacking · March 16, 2021, 2:45pm

Sounds good! I’ll check back in.

shahrukhiqbal24 · March 18, 2021, 4:05am

Waiting for CERT’s response on the follow-up email sent yesterday.

johnjhacking · March 18, 2021, 5:19pm

Fantastic. Great update.

shahrukhiqbal24 · March 25, 2021, 5:59am

No reply on the last follow-up email from the CERT yet.
Sent a second follow-up email just now.

shahrukhiqbal24 · April 25, 2021, 7:53am

Latest update:

no reply from the CERT
no reply from the promoclub
identified and disclosed vulnerabilities patched (and entire web app UI changed)

A huge thank you to you @johnjhacking for your assistance, time and guidance couldn’t have done it without you

johnjhacking · May 2, 2021, 8:03pm

No problem at all! Happy to help.