Error submitting security report

Discuss ideas and suggestions around the Church website.
Post Reply
mwholt
New Member
Posts: 2
Joined: Sun Oct 24, 2021 10:24 pm

Error submitting security report

#1

Post by mwholt »

I've found that the church's website is unnecessarily leaking the private information of members, to any other members. This includes names, physical addresses, birth dates, phone numbers and email addresses, ordinance information, and more.

I only found a link to https://www.churchofjesuschrist.org/inf ... nsecurity/ after someone on Twitter found someone posting the link here on this forum, which didn't even appear in my search results.

When I submit the form, I get "An error occurred." When I inspect, it appears to be returning HTTP 413. I am requested to submit the evidence of the problem, but when I do the form rejects by submission.

The form does not allow submitting screenshots.

There is no https://www.churchofjesuschrist.org/.we ... curity.txt file.

Where is the security contact?
User avatar
Mikerowaved
Community Moderators
Posts: 4398
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Re: Error submitting security report

#2

Post by Mikerowaved »

You can try sending an email to VulnReport@ChurchOfJesusChrist.org.
So we can better help you, please edit your Profile to include your general location.
mwholt
New Member
Posts: 2
Joined: Sun Oct 24, 2021 10:24 pm

Re: Error submitting security report

#3

Post by mwholt »

Thank you!

Someone reached out to me via PM as well, so I'm optimistic it'll be in good hands soon.
User avatar
sbradshaw
Community Moderators
Posts: 5483
Joined: Mon Sep 26, 2011 9:42 pm
Location: Utah
Contact:

Re: Error submitting security report

#4

Post by sbradshaw »

Make sure you tell them about the security form issue and the missing security.txt file, in addition to reporting the main issue – it sounds like something that would be good to fix. Thank you for bringing it up!
Samuel Bradshaw • If you desire to serve God, you are called to the work.
mwholt
New Member
Posts: 8
Joined: Tue Jul 24, 2012 9:00 am
Contact:

Re: Error submitting security report

#5

Post by mwholt »

For the record, unfortunately the leak still has not been fixed.
scgallafent
Church Employee
Church Employee
Posts: 2890
Joined: Mon Feb 09, 2009 4:55 pm
Location: Riverton, Utah

Re: Error submitting security report

#6

Post by scgallafent »

It will probably take a little bit of time for the issue to be corrected. Any kind of fix will have to be implemented, verified, and the released.
mwholt
New Member
Posts: 8
Joined: Tue Jul 24, 2012 9:00 am
Contact:

Re: Error submitting security report

#7

Post by mwholt »

Posting for the record: 3 weeks later, and I still have not had any contact from anyone working the issue, and I verified today that the leak persists. I have submitted another vuln report today using that form, but still have not heard any update. Any responsible tech company could fix this in a day or less, then publish a post-mortem to stay accountable to those whose private data they are stewards over. I have not even been contacted by anyone addressing the issue.

(For the record, the issue HAS been confirmed by an employee the night I posted this thread. But it had to be forwarded to another team. I have not heard since then.)

Where are the Church's security officers? Their SRE team? Anyone?
lajackson
Community Moderators
Posts: 10353
Joined: Mon Mar 17, 2008 10:27 pm
Location: US

Re: Error submitting security report

#8

Post by lajackson »

mwholt wrote: Posting for the record: 3 weeks later, and I still have not had any contact from anyone working the issue, and I verified today that the leak persists. I have submitted another vuln report today using that form, but still have not heard any update. Any responsible tech company could fix this in a day or less, then publish a post-mortem to stay accountable to those whose private data they are stewards over. I have not even been contacted by anyone addressing the issue.
It sounds to me as if this is something serious, and if the developers believe it is as serious as you say, I am sure they are working on it. But I have a couple of thoughts in that regard.

First, I do not believe that Security is going to comment publicly on a matter such as this, or any other similar matter. I think that ultimately they will just do what they think they need to do without saying anything at all about it. This is not a giant tech company and, as I am sure you know, they do not operate like one. I would be absolutely shocked to see any type of "post-mortem" report at all.

Second, in spite of what some may think, the Church does not have a giant tech department devoted solely to running the website. In other posts, I have joked that it is quite likely I could afford to take the entire development team out to lunch, all both of them, and still have plenty left over for dessert. I do not know personally how many of them there really are, but I suspect if I made the offer I would not go broke if they actually took me up on it. But, of course, that is just my own personal opinion. They do not comment on that, either.

Since you say someone has contacted you behind the scenes, I am certain that they are working as quickly and as best they can to resolve this issue, whatever it is. The mere fact that they reached out to you tells me they are taking it seriously. And I am doubly impressed that you were contacted so quickly, even if it seems they are taking longer than you feel they should to resolve the problem.

I appreciate that you have taken the time to report the issue, even though I do not know what it is.

And I totally relate with the challenges you have had just trying to report it. If I had a nickel for every time the help desk told me something should not work like it did or should have worked differently, I would have been able to retire long ago.
mwholt
New Member
Posts: 8
Joined: Tue Jul 24, 2012 9:00 am
Contact:

Re: Error submitting security report

#9

Post by mwholt »

It sounds to me as if this is something serious, and if the developers believe it is as serious as you say ... I appreciate that you have taken the time to report the issue, even though I do not know what it is.
The private information of my family members / loved ones is being given away without their consent. Names, email address, physical home addresses, phone numbers, birth dates, ordinance/priesthood information, appointment times and locations, and more, . . . is publicly available. Not serious?
First, I do not believe that Security is going to comment publicly on a matter such as this, or any other similar matter. I think that ultimately they will just do what they think they need to do without saying anything at all about it.
After submitting the form, a message appeared saying I will receive a response shortly. That never happened. Regardless of what they decide to do about a public post-mortem, I would expect at least acknowledgement that they're fixing it.
This is not a giant tech company and, as I am sure you know, they do not operate like one. I would be absolutely shocked to see any type of "post-mortem" report at all.
Just curious, how does the church deal with applicable laws regarding data privacy and retention? In some regions, a leak such as this would absolutely be required to be disclosed at least to those whose data was leaked. Short of an actual post-mortem, can we at least expect they will follow those laws? I know for a fact it affects citizens in EU regions, and I would be surprised if the Church was exempt from GDPR and other similar laws around the world.

With the knowledge of this information, I am trying to be responsible by posting status updates here, for accountability reasons. Of course I won't share any details before it is fixed, but I do think it's prudent to keep a record of what is happening. That's all.
Since you say someone has contacted you behind the scenes, I am certain that they are working as quickly and as best they can to resolve this issue, whatever it is. The mere fact that they reached out to you tells me they are taking it seriously. And I am doubly impressed that you were contacted so quickly, even if it seems they are taking longer than you feel they should to resolve the problem.
Yeah, I was actually really pleased to have been contacted so quickly on this forum; and my contact has been a delight to communicate with. It sounds like the issue is finally being escalated internally, and that's good. However, the "official" way of submitting and handling security reports clearly needs drastic internal improvements.

I don't mean to sound gruff. This bug just strikes a personal chord given the sensitive information, the breadth of the leak, and the fact that myself and other loved ones are affected; and I figured the Church's IT/tech dept. would be bigger or have more resources given the size of the organization. I'll patiently await the fix and report back.
scgallafent
Church Employee
Church Employee
Posts: 2890
Joined: Mon Feb 09, 2009 4:55 pm
Location: Riverton, Utah

Re: Error submitting security report

#10

Post by scgallafent »

For everyone following along: this issue is being addressed. The development team responsible for making the fix is aware of it. The Church Data Privacy Office, which is responsible for complying with laws regarding data privacy and retention, is also aware of it. They are the ones who will handle the questions mwholt raised in his last post.
Post Reply

Return to “Main Church Website”