Paul Moore

Paul Moore


Security consultant, researcher & CISO at Icebook.

Share


Twitter


SafeBuy: Can you trust a trustmark?

Private, secure & trusted... or is it?

Paul MoorePaul Moore

While watching reruns of Dragon's Den last week, one particular pitch caught my attention.

After Googling the company, I arrived at a page containing SQL errors. Having read the error log, it became clear the site had a critical security vulnerability. After a few tweets, emails & a brief call, the company patched it within 24hrs. Result!

However, something else caught my eye...

safebuy_small

... a SafeBuy trustmark.

Clicking the trustmark reveals the following popup...

safebuy_popup

Interest piqued, I decided to see just how trustworthy this SafeBuy scheme really is.

Registration

SafeBuy offer a 60 day free trial, after which, it's £180 a year.

reg1

payment1-1

That's it! That's the entire registration process. The observant amongst you will note the lack of a "I agree to abide by our code of conduct" checkbox and, if you're especially observant, you'll also note the price has gone up to £238.80 too.

The majority of sites ask for a password during registration, but surprisingly, SafeBuy do not.

24 hours later, I receive an email:

email1

Hmm, the password is prefixed with "safe" and what looks to be a random number, 1709121. Remember that for later...

After logging in, you're greeted with your account profile page.

loggedin1

Wait, what?! Toronto, Canada, Freshbooks?! Where did that come from?

In actual fact, the URL I entered (urity.co.uk) redirects to our billing control panel; run by Freshbooks. SafeBuy have wrongly assumed I own Freshbooks... but surely they wouldn't issue a trustmark in their name?

1

Sigh. The independent vetting process can't be particularly thorough if this slipped through!

As if that wasn't bad enough, I've been automatically featured in their members' directory.

https://www.safebuy.org.uk/directory/computers.html
memberdirectory1

Hang on, that "accreditation number" looks familiar...
weakPW

Oh for christ sake! The reputation of "my" business, or rather that of Freshbooks, is now in the hands of anyone blessed with the gift of sight. Thanks "Safe" Buy!

By this point, I've already written this off as insecure, ill-conceived snake oil. But, how deep does this rabbit hole go?

"Credible reviews"

Having all the hallmarks of a "one man band", I doubt SafeBuy has the resources to audit each & every review they receive. What they can do however, is implement the most basic of automated checks to verify a review is genuine. Unfortunately, that doesn't appear to be the case.

Here's my first review:
review1

Trouble is, you get slightly less of a warm, fuzzy feeling when you review... yourself. Yes, I submitted that review... and I was logged in at the time! What's the point of a "trusted" reviews site which allows companies to review themselves?

Security, or lack thereof

Before we get into the shocking state of security at SafeBuy, here's my reviews page:
https://ratings.safebuy.org.uk/freshbooks.com/stats.html

If you're wondering why the images are going crazy and you're hearing some pretty awful music, that's the harlem shake.

You see, the site is so unspeakably insecure, it's possible to embed & execute arbitrary code as if I'm the developer. OK, the harlem shake is a bit of harmless fun... but I could just as easily embed malware or indeed alter anything you see; quantity of reviews, star ratings, each review, their responses... literally anything!

Talking of responses:
reviewedit1

On this screen, we can see all our customer reviews and if necessary, respond to them. One of the best ways to judge a company is not from the quantity of reviews (especially as they're so easy to fake) but how they respond to reviews/complaints.

Hmm, there's an ID in the URL. What happens if we change it?

reviewedit2

Sigh! It's the review screen for oakhillflooringltd.co.uk.

At first glance, you'd be forgiven for thinking this isn't a major security concern. After all, we can view their reviews publicly anyway. Trouble is, the "reply" button works!

Yes, we can reply to OakHill's customers as if we're logged in as OakHill. It's a good job I'm not in competition with them, or it'd be very easy to destroy their reputation.

Let's recap

In summary, we've visited an insecure website, been assured it's secure & private by a trustmark, registered and been accredited for a brand I neither own nor control, been given an insecure default password (also stored in plain text!), reviewed our own company, hijacked our own review page to deliver fake/inflated reviews and/or malware & had the opportunity to hijack any other SafeBuy member simply by changing a number in the address bar.

It's hard to believe this was designed in collaboration with the Office of Fair Trading!
oft1

It's worth mentioning at this point, the OFT closed in 2014... but it adds credibility, so why remove it? </sarcasm>

Responsible disclosure; redefined?

As regular readers will know, I always follow (what we call) responsible disclosure; typically by reporting these issues to the company in an attempt to have them addressed. However, there are those who will undoubtedly claim this isn't responsible disclosure, so let me explain my actions...

The industry is plagued by snake oil, meaningless trustmarks which continue to mislead users around the world. I've no doubt Troy Hunt would agree, given his comments in this excellent article from 2013. By reporting & effectively donating my time to companies which provide them, I am complicit in their questionable practices. On this occasion, the only way to "responsibly disclose" this... is to inform you, the general public, of just how pointless they really are.

Serving malware!

If you visit the site with a VPN and/or antivirus app running, you'll receive an error similar to this:
freedomeblock

Why? The site has been infected with malware for months! Thankfully, the site which the malware redirects to has since been fixed... but quite how "SafeBuy" were hacked is still unknown. Keep in mind, their trustmark ensures "total security & privacy" yet their own site falls short.

Summary

I have thinly veiled contempt for companies which claim to be "secure" simply by displaying a misleading image; even more so for those who advocate & facilitate this type of behaviour.

To put it bluntly, SafeBuy is a complete & utter shambles. If you're considering entrusting your firm's reputation to them, I'd strongly urge you to think again.

Paul Moore
Author

Paul Moore

Comments