KALYPTO (IN)SECURITY

Research, demonstrations, and popcorn

Vulnerability Found: Alienware Arena

This vulnerability post originated from my old site and last updated on June 5th, 2013.  I have done some slight updates now that I am moving it over to my new site.

Let me start this post with a note:

I like and appreciate Alienware’s solid products. I have owned a couple Alienware laptops for years.  They have survived falling off a moving vehicle without much more than a few scratches. This post is not meant to be an attack on Alienware or Dell at all, it is merely a recap of the recent event surrounding a SQL injection vulnerability I found in one of their websites.

The Find:

While dorking around on Google I came across a link to the Alienware Arena website.  After a few minutes of looking at the site it was very apparent the site was vulnerable to a blind SQL injection.  The security on the database was not locked down.  The vulnerability could have had much worse possibilities than a simple database dump from Alienware Arena.  Cross-database calls could have been possible, but where never attempted.

I am a white-hat by nature.  I have never attacked a company or private citizen with malicious intentions.  My first reaction was to send Alienware/Dell an email letting them know of the vulnerability.  The first email was sent on May 20th.

Email to Alienware

Email to Alienware

After two days of not getting a response at all I contacted Alienware on Twitter letting them know I had a security issue I needed to get to their site administrators.

Alienware Initial Contact

Alienware Initial Contact

After some fidgeting back and forth trying to get the info sent to a valid address at Dell I was able to get the information to them.  I do not have a predefined response I expect from companies when I let them know of vulnerabilities.  You never know how the company is going to react.  In some cases they freak out thinking you are trying to take them down and start threatening you.  In the case of Alienware, they simply fixed the problem.  The only response I received, until letting them know I was waiting for the issue to be resolved before I posted this article and even after letting them know they could contact me with any questions or concerns, was the following email:

Alienware Initial Response

Alienware Initial Response

Dell thanked me and the vulnerability was fixed sooner than I had thought.  From what the contact I had with AlienwareTech told me, it took Dell four days to fix this hole in their site.  Originally I thought it took twelve days, but after speaking to a contact at Dell I found out the vulnerability was fixed after four days.  The issue was there is apparently a confidentiality agreement between Dell and Alienware and they were unable to tell me that it actually got fixed at that point.

The Conclusion:

Companies, big and small alike, need to make a safe way for white-hat’s to report vulnerabilities where they know the issue will get resolved in a timely manner and they will be safe from any legal fallout.  Facebook has implemented a safety program for white-hats, but it is somewhat questionable in their fallow-up.  My suggestion to Alienware/Dell would be to setup an email forward for the site security department i.e. [email protected]  This would allow people with good intentions to easily contact the administrators and let them know of potential security issues.

I verified with the contact in AlienwareTech that the security issue was resolved before posting this. Any attempt to exploit this hole after this post is very clearly a sign of attempting to breach the database with malicious intent and will may result in some serious legal issues.

UPDATE:

I spoke with a Eddie at AlienwareTech again about this issue.  He informed me of some inaccuracies in the article.  I have updated it accordingly.  Below are the inaccuracies he noted. These are his bullets so “me” is referring to himself.

  1. Alienware Arena is not owned by Dell, it is a partner site. When I got the note from you I sent it to the person who manages the relationship.
  2. They actually responded to me and notified me of the solve 4 days after you sent your note to us. I did not forward it over due to privacy policies we have.

I did some looking at the domains after getting this email and it appears Alienware Arena is still registered to Alienware Corporation. They still maintain ownership of the site and partner with Dell for the products.

UPDATE 2: 

I received an Alienware TactX Keyboard, mouse, and headset as a thank you from Dell/Alienware Arena today. Thank you Eddie!  I can’t wait to start testing these out.

UPDATE 3 (November 2nd, 2014):

The mouse and headset stopped working after a little over a year of use, but the keyboard is still going strong to this date, in fact, I am typing this on it now.  Although the ‘W’ key is going out, I have had no other issues with it.  I highly recommend the keyboard and mouse.  The headset, not so much.

accessalienwareinjectionsqlsqliunsecured

Kalypto • November 3, 2014


Previous Post

Next Post