The “giggle” Debacle
This isn’t my story; Just my take on the story from a hacker’s point of view. It will start off rough in my opinion but will end on a (slightly) better note. Keep in mind that I’ve been in this field for 25-ish years and I’ve seen a lot through that time so I’m not just talking out my ass on this.
First, you should stop right here and go read the excellent write-up at https://research.digitalinterruption.com/2020/09/10/giggle-laughable-security/ by the actual discoverers. Go now and read it.
If you didn’t take the three minutes to read the aforementioned story, please do. It’s important. Why is it important? To understand what Responsible Disclosure means to the hacker community. The whole idea is that you find a bug (either accidentally or on purpose) which allows you to exploit it to gain additional access, information or possibly cause a disruption of service. The responsible thing to do is to notify the author/vendor of the product and tell them what you’ve found. You then work with them to come to an agreed upon timeframe that they have to fix the issue which then allows you to publicly release all the information regarding this. By the end of the timeframe, the author/vendor has usually notified their clients/partners on the bug and issued a patch. This means that when you release your information, a lot less people are at risk since everyone should have upgraded to the newer version. Before we get too far, yes, there are some people who won’t have upgraded and are still at risk.
But that’s the crux of the matter, isn’t it? Do you tell the vendor and give them time to patch and notify their customers/partners or do you drop this information publicly and put even more people at risk? At what point is there an acceptable loss of security? When it’s 10% of the customer base? Why not 5% or 15%? The majority of (but not all) hackers will follow some form of responsible disclosure whenever a bug is found and even more so when an exploit is found to that bug. And for this reason, responsible disclosure comes with a timeframe. There are no hard-and-fast metrics of an acceptable loss of security posture as suggested above so instead, the timeframe is used.
But why do hackers want to release this information publicly? There are a few reasons. Almost every hacker regardless of white/grey/black hat believes in the freedom of knowledge. It’s important that knowledge be a free flowing commodity for anyone to utilize. Another reason is notoriety; It may seem selfish and self-absorbed to those not in the hacker community but hackers are known for what they know and how they act. If you go back to the first reason of open knowledge, a hacker who doesn’t teach (either by tutoring, sharing tools, answering StackOverflow questions or just helping people out even in the smallest way) is looked upon in a less positive light within the community. Being able to say “Look what I’ve found!” isn’t just about showing off your hacking skills, it’s about showing that you care about the safety of your Internet brethren and your willingness to share knowledge with the community.
Unfortunately, even in 2020 when the Internet is a common daily tool for almost everyone, the *Sec communities are still shrouded in mystery for the lay person. That’s where my analysis of the “giggle” debacle comes into play…
giggle (https://joinagiggle.com/) is an app touted for an all-female platform for women to have an online safe-space. Their founder and CEO is a woman by the name of Sall Grover. Although I usually wouldn’t bring up someone’s sex as I think it doesn’t matter what sex/gender someone is, it’s important for this.
Digital Interruption (https://www.digitalinterruption.com/) is a UK-based security organization. One of their founders, Saskia Coplans, is the discoverer of the bug and a woman. Again, Saskia’s sex/gender is important to the narrative.
Saskia discovered that a very trivial attack could allow a threat actor to obtain a massive amount of user personal information including (but not limited to):
- Name
- Phone Number (Likely mobile)
- Photograph
- Geographic Co-Ordinates (Where the initial “selfie” was taken)
- Timezone the User is In
Although not explicitly listed, we can attempt to extrapolate the additional information from the screenshot posted in Saskia’s report keeping in mind that these are just slightly educated guesses:
- Date of Birth (DOB)
- Payment Card (cardType)
- User Created Description of Themselves (description)
- Minimum and Maximum Age of “Friends” (ageLo/ageHi)
- General Permanent Location (locality)
Some of these which may seem slightly benign (such as locality and timezone) can be combined to add structure to tracking someone down in real life. If you locality says “New York” and your timezone is “-5” then the odds are, you’re in New York. Combine that with the GPS co-ordinates from your selfie upload and it’s likely you’re even easier to track down.
Take all that and roll it into someone who is mentally unstable and wants to physically hurt people of a specific demographic — Let’s say women sex workers. This bad person (referred to as a “threat actor” in hacker nomenclature) now has a viable source of information on people who may be involved in the sex work industry (since that is [apparently] a category on giggle) and can start hurting or even killing people.
I’m not going to write about what happened as you should read the DI report but what I do want to talk about is the interaction from Sall/giggle and the *Sec community.
Unfortunately I don’t believe Sall had much, if any, experience in dealing with the hackers of the *Sec community. She responded by blocking DI’s accounts and publicly stating misinformation about her/giggle being targeted by “infosec men”.
I’m not going to delve into misogyny or abuse (both bad) but the immediate labeling of “infosec” as “men” is pretty sexist in my opinion. Not just the broad classification that “infosec men” are bad but there are a lot of women in *Sec and it’s sad to see someone (especially another woman) denigrate them. I went through some of her Tweets and noticed a recurring pattern:
It’s worth noting that “JayHarris_Sec” is another founder at DI.
I want to expand on the second and third Tweets… “It doesn’t concern you” and “…it’s not for you.” really struck a chord with me. It seems that Sall does want equality (from reading her other Tweets) but these two Tweets are, in my opinion, way overboard. If she (or anyone) is sick of misogyny (which is a good thing to be sick of) then why would you refuse men who are trying to treat you as an equal and help out? If I were in that position, I’d try to create a bridge between the genders instead of telling people to “move along” and that it “doesn’t concern” them. Imagine if a women’s only gym caught fire and they turned away the fire brigade because the men firefighters showed up first.
I do, however, think that the ironic ending to this is that someone named “Bill” (who I assume is a man) from giggle helped fix the issue.
But as I said at the start of this, there’s a somewhat better ending…
This message from Sall shows that she has learned more about how the hacker community works when it comes to responsible disclosure. It’s unfortunate that she had to learn that lesson the hard way and in such a short amount of time. I know there are some people on Twitter still lambasting her actions and calling out this “phony” apology. If this is a phony apology, it will be the start of a second hard lesson. I’m sincerely hopeful that Sall has had an epiphany with the *Sec community and that this lesson is over.
