Looking for a security contact at Webull

johnjhacking · February 15, 2021, 8:49pm

Hello,

A friend of mine on Twitter: @0xBanana is having trouble getting in contact with anyone from Webull. He has identified a privacy issue that I have confirmed as a CVE on their products. Please let us know if you have a contact there.

The timeline:
2/5/2021 - Jason contacts Webull via direct message.

2/5/2021 - John looks for a security contact with no luck.
2/12/2021 - John sends a public Tweet, urging Webull to contact him. No response.
2/15/2021 - John reaches out again with a public Tweet directed towards Webull.
2/15/2021 - Contact is made with WeBull, the details of vulnerability communication are being discussed.

sickcodes · February 15, 2021, 10:57pm

I think the CEO is in the subreddit, here ya go!

https://www.reddit.com/r/Webull/comments/lkpig4/website_security_issue_staff_from_webull_please/

johnjhacking · February 16, 2021, 12:59am

I don’t see the CEO. I see someone talking about Wendy’s. Kindly point me to it?

sickcodes · February 16, 2021, 2:38am

Try his LinkedIn: https://www.linkedin.com/in/anthonydenier/
Webull Financial LLC is owned by Xiaomi (14%), try https://sec.xiaomi.com
Maybe Contact Saxo's Investment Team | Saxo Group since they may have built some of the app(s)? Fumi Tech | Saxo Group

“Webull is a subsidiary of the multinational Chinese company Fumi Technology. It has more than 9 million worldwide users and estimated assets worth $4 billion across all its customer accounts. The company has a presence in New York and China.”

johnjhacking · February 16, 2021, 3:08am

We received a response through Twitter. We’ve been careful thus far to express the nature and issues involved with the vulnerability and focus on our desire to help other users. As it stands, they are hesitant to put us in contact with the appropriate team until we describe it more. Our next route of action will be described soon.

sickcodes · February 16, 2021, 3:20am

For those reading along at home, not putting you through to the right team usually means that the team is 404 irl.

johnjhacking · February 16, 2021, 3:43am

Looking for the super-like function on this thing.

johnjhacking · February 16, 2021, 9:13pm

Update, contacted them via email. They wanted us to get in-touch with the compliance team [lol] did it this morning but no response.

sickcodes · February 16, 2021, 11:06pm

Fail, we want the security team not compliance. Take it to the next level and get a third party coordinator, or CERT, or the regulator involved.

johnjhacking · February 16, 2021, 11:38pm

Yeah will likely go through CERT.

johnjhacking · February 17, 2021, 12:08am

CERT has been contacted. We asked for permission to disclose to the public upon assignment of a CVE ID.

johnjhacking · February 20, 2021, 4:01am

Still waiting for CERT to respond.

johnjhacking · February 23, 2021, 7:50pm

Compliance responded on 2/22/2021 but haven’t responded since, they are taking there sweet time on this vulnerability, we’ve have to jump through hoops to get to this point – we are going to request a CVE ID and drop it to the public if we do not receive response. There’s no risk of doing so; It’s a business logic flaw that has been programmatically placed and does not require any exploitation.

johnjhacking · February 25, 2021, 6:50pm

The vulnerability is going to be dropped to the public today.

johnjhacking · February 25, 2021, 8:04pm

Jason has released it to the public. CVE ID still pending:

johnjhacking · March 9, 2021, 1:06am

CVE may or may not be assigned; CERT is hashing it out with us as MITRE told Jason to go to the SEC…which won’t exactly help the issue get fixed.

johnjhacking · August 27, 2021, 3:29pm

CVE was not assigned, but issue was highlighted to the public and disclosed responsibly per CERT’s guidance.