A friend of mine on Twitter: @0xBanana is having trouble getting in contact with anyone from Webull. He has identified a privacy issue that I have confirmed as a CVE on their products. Please let us know if you have a contact there.
The timeline:
2/5/2021 - Jason contacts Webull via direct message.
2/5/2021 - John looks for a security contact with no luck.
2/12/2021 - John sends a public Tweet, urging Webull to contact him. No response.
2/15/2021 - John reaches out again with a public Tweet directed towards Webull.
2/15/2021 - Contact is made with WeBull, the details of vulnerability communication are being discussed.
âWebull is a subsidiary of the multinational Chinese company Fumi Technology. It has more than 9 million worldwide users and estimated assets worth $4 billion across all its customer accounts. The company has a presence in New York and China.â
We received a response through Twitter. Weâve been careful thus far to express the nature and issues involved with the vulnerability and focus on our desire to help other users. As it stands, they are hesitant to put us in contact with the appropriate team until we describe it more. Our next route of action will be described soon.
Compliance responded on 2/22/2021 but havenât responded since, they are taking there sweet time on this vulnerability, weâve have to jump through hoops to get to this point â we are going to request a CVE ID and drop it to the public if we do not receive response. Thereâs no risk of doing so; Itâs a business logic flaw that has been programmatically placed and does not require any exploitation.