Looking for a security contact at Webull

Hello,

A friend of mine on Twitter: @0xBanana is having trouble getting in contact with anyone from Webull. He has identified a privacy issue that I have confirmed as a CVE on their products. Please let us know if you have a contact there.

The timeline:
2/5/2021 - Jason contacts Webull via direct message.


2/5/2021 - John looks for a security contact with no luck.
2/12/2021 - John sends a public Tweet, urging Webull to contact him. No response.
2/15/2021 - John reaches out again with a public Tweet directed towards Webull.
2/15/2021 - Contact is made with WeBull, the details of vulnerability communication are being discussed.

I think the CEO is in the subreddit, here ya go!

https://www.reddit.com/r/Webull/comments/lkpig4/website_security_issue_staff_from_webull_please/

1 Like

I don’t see the CEO. I see someone talking about Wendy’s. Kindly point me to it?

2 Likes
  1. Try his LinkedIn: https://www.linkedin.com/in/anthonydenier/

  2. Webull Financial LLC is owned by Xiaomi (14%), try https://sec.xiaomi.com

  3. Maybe Contact Saxo's Investment Team | Saxo Group since they may have built some of the app(s)? Fumi Tech | Saxo Group

“Webull is a subsidiary of the multinational Chinese company Fumi Technology. It has more than 9 million worldwide users and estimated assets worth $4 billion across all its customer accounts. The company has a presence in New York and China.” :sweat_smile:

1 Like

We received a response through Twitter. We’ve been careful thus far to express the nature and issues involved with the vulnerability and focus on our desire to help other users. As it stands, they are hesitant to put us in contact with the appropriate team until we describe it more. Our next route of action will be described soon.

1 Like

For those reading along at home, not putting you through to the right team usually means that the team is 404 irl.

3 Likes

Looking for the super-like function on this thing.

2 Likes

Update, contacted them via email. They wanted us to get in-touch with the compliance team [lol] did it this morning but no response.

Fail, we want the security team not compliance. Take it to the next level and get a third party coordinator, or CERT, or the regulator involved.

1 Like

Yeah will likely go through CERT.

CERT has been contacted. We asked for permission to disclose to the public upon assignment of a CVE ID.

1 Like

Still waiting for CERT to respond.

Compliance responded on 2/22/2021 but haven’t responded since, they are taking there sweet time on this vulnerability, we’ve have to jump through hoops to get to this point – we are going to request a CVE ID and drop it to the public if we do not receive response. There’s no risk of doing so; It’s a business logic flaw that has been programmatically placed and does not require any exploitation.

The vulnerability is going to be dropped to the public today.

Jason has released it to the public. CVE ID still pending: