IFTTT is a great site, let’s get that out of the way before we say anything else. They offer a great service, however their response time to this one security issue was somewhat slow. On September 20th, 2014 we made a recipe for the homeboy camera. This recipe contained XSS, which triggered every time anyone viewed the recipe due to a parameter not being properly sanitized.
What does this mean to IFTTT security?
Anyone else who discovered that bug could’ve released this to the IFTTT published recipe page, thus anyone who clicked it could’ve executed malicious code thus affecting the security of other users. Since we are ethical cyber security researchers, we didn’t release it to the published recipe page. We instead reported it to IFTTT. Fast forward to mid-2016 and the vulnerability still existed, even though we had reported it to them in 2014. This wasn’t safe for their users, however our vulnerability could’ve gotten overlooked in their emails. We asked for an invite to their private bounty, which pays security researchers for fixes to issues. Sadly, we were not granted access despite having already identified one security flaw. Fast forward to 2017 and the vulnerability appears to have been fixed.
We are proud of IFTTT of taking steps in the right direction to make their site more secure for their users and applaud them on doing this. We hope and are probably right that missing the issue we reported on 2014 was an accident and are glad that they responded to us in mid-2016 when we contacted them. What we find interesting is that it appears that a site re-design fixed the issue, which is why you should subscribe to our RSS feed, since we will be writing an article all about site re-designs and how it impacts security.