PwC Sends Legal Threats To Researchers Who Found Critical Security Flaw

An anonymous reader quotes a report from ZDNet: A security research firm has released details of a "critical" flaw in a security tool, despite being threatened with legal threats. The advisory said that an attacker could "manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions," which could result in "fraud, theft or manipulation of sensitive data," as well as the "unauthorized payment transactions and transfer of money." An attacker could also add a backdoor to the affected server, the advisory said. The researchers contacted and met with PwC in August to discuss the scope of the flaw. As part of its responsible disclosure policy, the researchers gave PwC three months to fix the flaw before a public advisory would be published. Three days later, the corporate giant responded with legal threats. A portion of the cease-and-desist letter, seen by ZDNet, said that PwC demanded the researchers "not release a security advisory or similar information" relating to the buggy software. The legal threat also said that the researchers are not to "make any public statements or statements to users" of the software. The researchers told PwC that they would publicly disclose their findings once the three-month window expires, which is in line with industry standard disclosure practices. That was when PwC hit the security firm with a second cease-and-desist letter. Undeterred, the researchers released a security advisory a little over two weeks later.

first

comment!: Typical for incapable companies to threaten with lawsuits because they can't be bothered to actually do thir job!

Re:first

[Shoten]

A larger bit of context here is that this wasn't a business unit that makes hockey pucks. This was a business unit that is involved in cybersecurity. So for them to show ignorance of how things should be done with regard to this...ugh.

On the other hand, PwC is a partnership organization, not a corporation. As such, a lot of control is decentralized; partners are responsible for the business beneath them and while that responsibility does run upwards, with every step up there's an order of magnitude by which detail is removed. So fundamentally this could be one guy getting his panties in a wad over things.

But still...he should know better.

Re: first

[michelcolman]

So it's pencil pushers vs. pen testers

Re:Streisand effect

[mwvdlee]

Companies like PwC cannot grasp the concept of a earning money and behaving ethically at the same time.
Many a head must have been scratched in trying to understand why their threats failed. "Did the researchers not understand they were being threatened?". "Why would they do the right thing if it could cost them money?". "It's almost decided to do what would be best for other people instead of themselves.".

Re:License is a fair question

They need a license to *use* it. Research is fair use, so go suck Walt Disney's mummified cock.

Re:Wait a second

dates too hard to read; stopped trying

Re:Streisand effect

[TheReaperD]

Because only the plebs go to prison.

The cost of doing the right thing

[sinij]

This will likely going to be very expensive for the security researchers, as PricewaterhouseCoopers have deep pockets and a history of shady litigations.

Assholes like PwC is why most security researchers don't bother with responsbile disclosure. It is by far much safer to anonymously dump it to pastebin.

Re:The security firm provides a competing product

[edtice1559]

There's a strong motivation to test a competing security company's products and find defects. Certainly something great to point out in a sales call. But I don't see why this is bad. If you're a security company, you should expect this. It's not just your competitors who are going to be looking hard. It's everybody. In this case a competitor disclosed responsibly. I don't think you can get a better outcome. Don't like it? Well first fix your flaw and then return the favor by helping audit your competitor's product!

I love PwC's responses

[Blue23]

I love the responses PWC gave.

"ESNC did not receive authorized access or a license to use this software. The software is not publicly available and was only properly accessed by those with licenses, such as PwC clients working with trained PwC staff,"

In other words trying t discredit them. There is nothing in that about the flaw not being real.

But the one that had me laughing at the spin was:

"The code referenced in this bulletin is not included in the current version of the software which is available to all of our clients."

Makes it sounds like it's an old version that wasn't in use much anymore. But it was announced AFTER the fix. So publish the fix, which is now the "current version of the software" and since it's published "is available to all of our clients.". But really, that doesn't mean that most of your clients are running the patch, it silently sidesteps the whole thing.

And the final one:

"The bulletin describes a hypothetical and unlikely scenario -- we are not aware of any situation in which it has materialized,"

Yes, I would expect access to an admin account not to be listed on the main menu, I can believe it's an unlikely scenario. It's not actually hypothetical if it's been done by the security firm, so that part is a lie. The "we are not aware of any situation in which it has materialized" just means "we didn't catch it".