Tuesday, August 5, 2025

Aiman Al-Hadhrami Hackerone Privacy


Design Flaw in HackerOne’s Profile Visibility: A Privacy Violation (CWE-359) Under GDPR and ISO/IEC 27701




By: Aiman Al-Hadhrami

Independent Cybersecurity Researcher


❖ Introduction

In today’s digital era, privacy is not optional — it is a fundamental right, protected by global regulations like the General Data Protection Regulation (GDPR) and international standards such as ISO/IEC 27701, which emphasizes privacy by design and user control over personal data.

This post highlights a critical privacy concern on HackerOne, a well-known vulnerability disclosure platform, where users lack any control over the public visibility of their profiles and reputation scores — a design decision that may contradict their publicly stated compliance with GDPR and ISO 27701.


❖ What’s the Problem?

Currently, HackerOne user profiles are publicly visible by default, including:

  • Username
  • Profile activity
  • Reputation score

And most importantly:
There is no setting or control that allows users to hide or restrict this information.


❖ Why This is a Privacy Violation

1. Contradiction of GDPR Article 25:

Article 25 requires data protection by design and by default.” This means:

“By default, personal data should not be accessible to an indefinite number of people without the individual’s intervention.”

But on HackerOne:

  • Profile data and scores are public by default
  • No explicit consent is obtained for public exposure
  • No privacy settings are offered to limit visibility
  • Profiles are indexed by search engines without user opt-in

2. Misalignment with ISO/IEC 27701:

HackerOne publicly claims to follow this privacy management standard. However, ISO 27701 clearly emphasizes the need for user control, minimization of public exposure, and consent-driven data sharing — none of which are currently enforced on the platform.


❖ Real-World Impact on Users

Publicly exposing reputation scores — especially negative ones — without user control or contextual explanation can lead to serious consequences:

  • Professional harm and reputational damage
  • Misinterpretation of the user’s behavior as malicious or unethical
  • Loss of job opportunities, trust, or career growth
  • Emotional distress and stigmatization
  • Discouraging ethical hackers from using the platform

Reputation scores may be negatively impacted by reports closed as “Not Applicable,” even when such reports were submitted in good faith. This outcome does not imply that the report lacks validity, but may instead reflect limitations in the platform’s internal policy or scope. 

Yet outsiders often interpret such scores harshly and unfairly. It is unfair for HackerOne to publicly display a negative reputation score without giving users control to hide or explain it. Privacy is a right, not a luxury!


❖ Lack of Transparency in Reputation Penalties: A Digital Injustice

When a report is closed as "Not Applicable", the researcher is automatically penalized with -5 reputation pointswithout any public explanation.

This deduction becomes publicly visible on the researcher’s profile and can easily be misinterpreted by the general public, employers, or peers as a sign of incompetence, negligence, or even malicious behavior. In reality, many of these reports are submitted in good faith but rejected due to program scope limitations or internal platform policies, not because the report was invalid or unethical.

The bigger issue is that HackerOne does not allow researchers to disclose these specific reports to the public. This means that researchers have no ability to explain or defend why they lost points, even if they acted responsibly.

This creates a system where:

  • Reputation is damaged without context
  • Users are judged without transparency
  • Researchers are denied the ability to control their own narrative

According to Article 5 of the GDPR, personal data must be:

“Processed lawfully, fairly, and in a transparent manner...”

In this case, there is no transparency, no fairness, and no informed consent — which clearly contradicts the core principles of data protection and ethical platform design.


❖ A Privacy and Design Flaw — Not Just a Feature Request

This is not a bug in code, but a flaw in platform design — a violation of basic Privacy Engineering principles and user autonomy.

In security classification terms, this falls under:

CWE-359: Exposure of Private Information (‘Privacy Violation’)


❖ Evidence of Inconsistency:

HackerOne states publicly: 

> "We comply with ISO 27701 which provides requirements for a privacy management system within the context of an organization..." 

> "We ensure our data collection and handling practices comply with the General Data Protection Regulation (GDPR) and its rules on data protection, privacy, and transfer..."

In reality:

  • Users have no privacy or visibility controls
  • Personally identifiable information is public by default
  • Reputation scores are publicly visible without context or consent
  • Search engine indexing is enabled by default

This reveals a clear gap between HackerOne’s stated commitments and actual user experience.


❖ Proposed Solutions for Hackerone

To align with privacy standards and user expectations, I propose the following actions:

  1. Set profile visibility to private by default, in accordance with GDPR Article 25.

  2. Or Introduce Profile Visibility Settings, including: 

    • Public
    • Private 
    • Unlisted
  3. Allow users to hide or restrict visibility of reputation scores, particularly negative ones.

  4. Use a more neutral term such as "Contribution Score" or "Participation Rating" instead of "Reputation" to avoid harmful interpretations.

  5. Allow users to disclose "Not Applicable" reports voluntarily, so they can defend the context of the negative score and avoid misjudgment.

  6. Implement contextual tooltips or explanations for reputation deductions visible on public profiles (e.g., “Score impacted by a report closed as Not Applicable”).

  7. Introduce a right to appeal or explain score deductions, especially when they result from vague or non-transparent rejections.


❖ Why This Matters

This issue is not just about convenience — it’s about:

  • Protecting users from unintentional reputational harm
  • Ensuring legal compliance with privacy regulations
  • Promoting ethical platform design
  • Preserving trust in the security community

On a platform called HackerOne, where misunderstanding the term “reputation” could lead to damaging assumptions, users deserve better protection, transparency, and control over how they are publicly portrayed.


❖ Conclusion

A platform that promotes ethical hacking should not expose researchers to reputational damage simply for engaging responsibly.  A platform that promotes transparency, ethical hacking, and legal compliance should hold itself to the same standards it encourages in others. Before expecting researchers to act with integrity, it must first reflect that integrity in its own practices — by respecting user privacy, adhering to internationally recognized data protection frameworks such as GDPR Article 25, ISO/IEC 27701. Leadership in cybersecurity and privacy begins with internal accountability and a commitment to compliance by design.

Thursday, July 3, 2025

Aiman Al-hadhrami Facebook Vulnerability

Security Report: Facebook Vulnerability Allows Remote Attacker Deception and Phishing Attacks



Visual Trust, Hidden Threat: Facebook Preview Flaw Enables Sophisticated Phishing Attacks


Overview

Inconsistent handling of link previews in Facebook's mobile application introduces a subtle yet powerful logic flaw. When a user pastes a URL while composing a post or comment, Facebook automatically generates a preview using Open Graph metadata (title, image, description). However, if the original URL is injected before posting, the preview does not update — resulting in a mismatch between the displayed content and the actual link destination.

This silent failure allows attackers to embed malicious links behind trusted-looking previews, increasing the likelihood that users will click and be exposed to phishing, malware, and data theft. The flaw aligns with CWE-451: UI Misrepresentation of Critical Informationand also relates to CWE-345 (Insufficient Verification of Data Authenticity), highlighting weaknesses in Facebook's UI state and trust validation logic.


Exploit Scenario – Link Preview Mismatch on Facebook Enables Highly Effective Phishing Attacks

Example:

An attacker creates a Facebook post and begins by pasting a legitimate URL — for example:
https://www.afro.who.int/countrie/news/hope-and-healing-integrated-free-surgical-camp-offers-relief-zimbabweans

Facebook automatically generates a trusted preview, including the World Health Organization's logo, a headline about free medical procedures, and a professional image, creating visual trust and a strong sense of credibility.

Before publishing, the attacker injects a malicious URL into the original one, such as:
https://2u.pw/Semzr

Facebook does not regenerate the preview. As a result, the post still displays the trusted WHO preview, while the actual link silently points to a phishing site.

Impact

This flaw enables attackers to:

  • Leverage Facebook’s preview system to trick users into trusting malicious links.
  • Exploit visual credibility by displaying previews from legitimate sources (WHO, banks, governments, etc.).
  • Redirect users to phishing pages where they may:
    • Enter sensitive personal or medical data.
    • Submit banking credentials or login information.
    • Download malware on mobile devices.
  • Violate user trust, especially among vulnerable populations seeking health, aid, or financial services.
  • Attackers can use Facebook ads to target vulnerable people seeking free surgeries, boosting phishing effectiveness.

Real-World Consequence: A Patient May Suffer or Even Die

Imagine a vulnerable person — perhaps a patient in urgent need of free life-saving surgery — who comes across the post and believes it's from the World Health Organization. Trusting the visual preview, they click and submit personal health information to a fake site.

  • The result? Their real medical request goes unanswered.
  • They lose valuable time chasing a fake opportunity.
  • Their condition may deteriorate rapidly, and in extreme cases, this delay could lead to death.

This transforms the flaw from a technical issue into a life-threatening deception.

Why It’s Critical

This is not just a design oversight — it's a logic flaw with dangerous implications:

  • The preview and actual destination do not match, creating a false sense of safety.
  • Facebook’s preview system is abused as part of the attack vector.
  • Victims are more likely to trust and click the link — especially when desperate for help.

This significantly increases the success rate of phishing campaigns and can lead to identity theft, healthcare fraud, and real harm to human life.


Facebook UI-Based Link Preview Vulnerability Report — Justification & Scope

1. User Interaction Is Expected and Routine

The attack requires no unusual or non-standard user behavior. A Facebook user simply clicks a link within a post — a natural, expected action that aligns with standard engagement patterns on the platform.

This clearly qualifies as “likely user interaction” under Facebook's vulnerability assessment guidelines.

2. Native UI Deception — Not External Social Engineering

This vulnerability results from a design flaw in Facebook’s link preview system. When a malicious link is posted, Facebook automatically generates a trusted visual preview that may misrepresent the actual destination.

  • The deceptive element is embedded within Facebook’s own UI.
  • The attacker does not need to craft any off-platform tricks or manipulate the user externally.
  • The mismatch between the preview and real link is generated by Facebook’s logic, not through external social engineering.

3. Clearly Within Facebook’s In-Scope Criteria

Design or implementation issues that may compromise the security of Facebook users are in scope according to Facebook's vulnerability disclosure policy.

This issue aligns with that scope because it:

  • Abuses Facebook’s trust model and branding.
  • Enables phishing, credential theft, or malware delivery.
  • Occurs entirely within platform-native features, without bypassing technical controls or requiring complex exploitation.

4. Reproducible with a Clear Technical Root Cause

The behavior is consistently reproducible by creating posts that use a specially crafted link structure. The preview renders misleading information automatically — the technical root cause lies in how Facebook parses and presents preview metadata.

5. Real-World Impact Through Trust Exploitation

This issue has serious real-world implications, enabling attackers to abuse Facebook’s brand reputation and preview system to make harmful links appear legitimate.

This opens the door to large-scale abuse scenarios including:

  • Targeted phishing campaigns
  • Fraudulent services

  • Drive-by malware infections

Vulnerability Scope: Facebook Mobile App Only

During analysis, this behavior was observed exclusively in the Facebook mobile application. When tested via the web interface, the platform either removes the preview upon URL injection or regenerates it based on the new link. This indicates that the flaw is likely rooted in client-side caching and UI state persistence within the mobile app.

This increases risk significantly — users on mobile platforms are less likely to manually verify URLs, and more likely to trust visual previews.


Context & Cross-Platform Comparison

During testing, the same steps were reproduced across several popular messaging and social media platforms, including X (formerly Twitter)ThreadsTelegramSignal, and WhatsApp — In all of these platforms, the link preview was correctly updated when the original URL was modified prior to publishing. This behavior ensures consistency between the displayed preview and the actual link destination, thereby reducing the risk of user deception.

In contrast, this unexpected and inconsistent behavior was only observed on the Facebook mobile application (and one other unspecified app). This strongly suggests that the issue is the result of a platform-specific oversight in Facebook's mobile preview handling logic, rather than a technical limitation.


Security Risks & Real-World Impact

This flaw enables several high-impact exploitation scenarios:

  • Legal issue: Using previews based on content from trusted institutions, companies, or organizations such as the WHO may be exploited for phishing or deception and could lead to legal issues.
  • Exploitation via Paid Ads: Attackers can boost the reach of malicious posts by promoting them as paid ads on Facebook. This increases visibility, adds perceived legitimacy, and allows precise targeting of vulnerable users, making phishing attacks far more effective and dangerous.
  • Phishing & Credential Harvesting: Attacker crafts a post with a preview of a legitimate service (e.g., PayPal.com), then replaces the link with a phishing site. The preview remains trustworthy, increasing click-through and capture rates.
  • Theft of Sensitive Information: Redirect victims to fake banking, healthcare, or government portals that harvest login credentials, identity documents, or health data.
  • Malware Delivery: Clicking on the misleading link can redirect to drive-by download pages or exploit kits, leading to ransomware, spyware, or keyloggers.
  • Surveillance & Espionage: Journalists, executives, or political targets may be lured into clicking links that activate device-level spyware or tracking beacons.


    Technical Summary

    • Facebook generates link previews using Open Graph metadata.
    • The preview is cached at the moment the first URL is pasted.
    • Injecting a malicious URL does not invalidate the preview.
    • The final published post contains:
      • A preview from the first (legitimate) URL
      • A link pointing to a  malicious destination

    Recommendations to Facebook

    • Invalidate previews whenever the link is injected before publishing.
    • Re-fetch metadata dynamically based on the final URL.
    • Display a clear warning if the preview and destination URL mismatch.
    • Provide users a way to inspect the true destination before clicking.

    Related CWE and CAPEC Classifications

    • CWE-451 – User Interface Misrepresentation of Critical Information
    • CWE-345 – Insufficient Verification of Data Authenticity
    • CAPEC-98 – Phishing
    • CAPEC-125 – URL Manipulation


    Proof of Concept

    A full technical report, including a video demonstration, was submitted to Meta.


    Responsible Disclosure:

    This vulnerability was discovered and responsibly reported by independent cybersecurity researcher Aiman Al-Hadhrami, in accordance with ethical disclosure standards. It was privately disclosed through Meta’s bug bounty program on 3 July 2025. [Ticket Numbers: 25037377595865726]. Meta appreciated the report and valued the efforts.


    Research Ethics & Statement:

    This research was conducted under the principle of responsible disclosure.

    No user data was accessed, and no harm was caused to Facebook infrastructure or members.


    Conclusion

    This UI inconsistency in Facebook’s mobile app presents a significant security vulnerability, enabling covert phishing attempts, malware distribution, and sophisticated social engineering attacks. Though subtle in appearance, the flaw undermines the fundamental trust model between what users see and where they are actually directed.

    Addressing this issue demands prompt and deliberate action, including critical changes to how the platform manages link preview caching and URL validation. Failure to act leaves users exposed to serious security threats and undermines trust in the platform’s integrity.


    Aiman Al-Hadhrami – Independent Cybersecurity Researcher


    Aiman Al-hadhrami LinkedIn vulnerability

    Security Report: link Preview Update Failure on LinkedIn Enabling Attacker Deception and Phishing Attacks



    LinkedIn Link Preview Mismatch: A Gateway to Deception and Phishing Attacks


    Introduction

    In today's digital landscape, social media platforms play a critical role in how information is shared and consumed. Link previews — the snippets showing images, titles, and descriptions when users paste URLs — have become a key feature to help users verify content before clicking. However, inconsistencies or flaws in how these previews are handled can expose users to deception, phishing, and other cyber threats.

    The flaw exists in the LinkedIn mobile application, where the preview displayed for a link where the preview displayed for a link does not update correctly if a malicious URL is injected before publishing. This leads to a mismatch between the displayed preview and the actual link destination, posing significant risks of user deception and abuse.

    This repot presents a security issue responsibly discovered and reported by independent cybersecurity researcher Aiman Al-Hadhrami.


    Summary of Security Issue: Native UI Deception via Link Previews

    1. User Interaction Is Expected and Routine

    The attack only requires a user to click a link in a LinkedIn post — a normal, platform-native action. This clearly qualifies as likely user interaction under LinkedIn’s vulnerability disclosure policy.

    2. Native UI Deception, Not External Social Engineering

    This vulnerability arises from a design flaw in LinkedIn’s link preview system. When a malicious link is posted, LinkedIn automatically generates a trusted visual preview that can misrepresent the actual destination.

    • The deception is embedded within LinkedIn’s own UI.
    • No attacker-driven manipulation or off-platform trickery is involved.
    • Users are misled by what appears to be a legitimate, LinkedIn-generated preview.

    3. Clearly Within In-Scope Policy Criteria

    LinkedIn’s policy states:

    > “Implementation and design issues that substantially impact LinkedIn members’ data or infrastructure are in scope.”

    This vulnerability qualifies because it:
    • Abuses LinkedIn’s branding and trust model.
    • Enables phishing, credential theft, and potential malware delivery.
    • Does so entirely using LinkedIn’s built-in functionality, without exploiting external services or bypassing traditional security controls.
    4. Reproducible with a Clear Technical Root Cause

    The issue is easily reproducible and is caused by a consistent, identifiable behavior in the link preview generation process.

    5. Real-World Impact

    This vulnerability has clear potential for large-scale abuse by malicious actors who can craft LinkedIn posts with legitimate-looking previews that direct users to harmful destinations — leveraging LinkedIn’s own trust signals to increase success rates.


    Comparison with Other Platforms

    During testing, the same steps were reproduced across several popular messaging and social media platforms, including X (formerly Twitter), Threads, WhatsApp, Signal, and Telegram, I found that only LinkedIn — along with one other unspecified app — retains the initial link preview even after the user replaces the URL before publishing.

    In contrast, all other tested platforms correctly update the preview to reflect the new destination URL, thereby preventing any mismatch between the preview and the actual link.

    This behavior appears to be platform-specific to LinkedIn, and represents a deviation from the more secure and user-transparent design patterns followed by other major social platforms.


    Platform-Specific Behavior: App vs. Web

    "Interestingly, this issue appears to be limited to the LinkedIn mobile application; when performing the same steps via the LinkedIn web interface in a browser, the preview either updates correctly or does not persist once the URL is injected."

    This suggests that the flaw may be tied to how the mobile app handles UI state and link preview caching, further supporting its alignment with CWE-451 (UI Misrepresentation) and CWE-345 (Insufficient Verification of Data Authenticity).

    Such discrepancies between app and web behavior could increase the risk of exploitation on mobile platforms, where users are less likely to inspect actual URLs before clicking.


    Phishing via Link Preview Mismatch – LinkedIn Job-Seeker Exploitation Scenario

    Example:

    An attacker creates a LinkedIn post that appears to promote job opportunities from a reputable company, such as:

    https://careers.microsoft.com/openings

    LinkedIn instantly generates a trusted preview using Microsoft’s branding, job title, and professional imagery — creating strong visual credibility and making the post appear completely legitimate.

    Before publishing, the attacker injects a malicious phishing URL into the original link:

    https://2u.pw/Semzr

    However, LinkedIn does not invalidate or regenerate the preview after the URL injection. As a result, the post still displays a Microsoft-branded preview, but the visible link now leads to a fake login page designed to steal credentials.

    Real-World Exploitation Scenario: Job-Seeker in Distress

    Imagine a recent graduate or unemployed professional desperately looking for a job.

    They come across this LinkedIn post showing an official Microsoft job offer, complete with branding and job descriptions — seemingly shared by a recruiter or hiring manager.

    Out of urgency and hope, they:

    • Click the link.
    • Land on a perfectly cloned login page.
    • Enter their LinkedIn credentials — or worse, corporate or email credentials used for job applications.

    Result:

    • Their account is compromised.
    • Their data is harvested.
    • They may be locked out of their LinkedIn profile during critical application periods.
    • Or worse, the attacker uses the stolen account to spread more phishing through their network — amplifying the attack.

    Security and Ethical Implications

    This flaw allows attackers to:

    • Exploit human trust in professional networks.
    • Create targeted phishing attacks under the guise of opportunity.
    • Attackers can use LinkedIn ads to target vulnerable job seekers, increasing the success of phishing attacks.
    • Harvest credentials, personal information, or sensitive documents (CVs, passports, etc.).
    • Cause psychological harm to people already in distress due to unemployment.

    The emotional and professional impact can be devastating, especially for vulnerable users. This is not just a visual mismatch — it is a trust-based attack vector that hijacks the core purpose of LinkedIn: connecting people with real opportunities.


    Security Impact

    • User Deception: Users may trust the content based on a legitimate-looking preview, unaware that the actual destination is malicious.
    • Exploitation via Sponsored Ads: Attackers can use LinkedIn’s paid ads to increase the reach and credibility of malicious posts, targeting specific professional groups and making phishing attacks more effective.
    • Legal issue: Using previews based on content from trusted institutions, companies, or organizations may be exploited for phishing or deception and could lead to legal issues.
    • Phishing Facilitation: Attackers can present safe-looking previews while linking to phishing sites designed to steal login credentials, banking information, or personal data.
    • Sensitive Data Theft: Exploiting this flaw can lead users to fake portals that harvest medical records, financial credentials, personal identification data, and even corporate login information.
    • Malware & Spyware Installation: Victims may be redirected to malicious websites that automatically download spyware, keyloggers, ransomware, or other stealth malware.
    • Surveillance and Espionage: Malicious actors may use this to target executives, journalists, or government employees, injecting spyware to monitor communications or extract sensitive intelligence.


    Technical Breakdown

    • LinkedIn relies on Open Graph tags to fetch preview metadata.
    • The preview is generated only when the first URL is pasted.
    • When a malicious URL is injected before publishing, LinkedIn does not re-fetch or validate the new link’s metadata.
    • This creates a visual mismatch between the displayed preview and the actual link.
    • Clicking the visible link in the post, leads to a destination completely unrelated to the image, title, or description shown


    CWE and CAPEC Classifications

    • CAPEC-98 – Phishing
    • CAPEC-125 – URL Manipulation
    • CWE-451User Interface Misrepresentation of Critical Information
    • CWE-345Insufficient Verification of Data Authenticity


    Recommendations for LinkedIn

    • Automatically invalidate and regenerate previews when a URL is injected or replaced before publishing.
    • Add UI warnings or visual cues to alert users when a link has been modified after preview generation.
    • Ensure that the actual destination URL is clearly visible or easily accessible to users before they click.

    Responsible Disclosure:

    This vulnerability was discovered and responsibly reported by independent cybersecurity researcher Aiman Al-Hadhrami, in accordance with ethical disclosure standards.

    It was privately disclosed through LinkedIn's bug bounty program on HackerOne on 2 July 2025 [Report ID: #3235035].


    Research Ethics & Statement:

    This research was conducted under the principle of responsible disclosure.

    No user data was accessed, and no harm was caused to LinkedIn infrastructure or members.


    Proof of Concept

    The vulnerability report, complete with technical documentation and a demonstration video, was submitted to the LinkedIn security team.


    Conclusion

    This vulnerability in the LinkedIn mobile application highlights a critical lapse in how link previews are managed — a seemingly minor UI behavior that can be weaponized for serious cyberattacks. By allowing outdated or misleading previews to persist even after the URL has been injected with a new destination, LinkedIn inadvertently opens the door to deception, phishing, and data theft at scale. In an era where trust and authenticity are constantly under threat, such flaws demand urgent attention. It is imperative that LinkedIn addresses this issue promptly by aligning its mobile behavior with industry standards, reinforcing preview validation mechanisms, and empowering users with clearer visibility into the links they engage with. Failure to act not only puts users at risk but also undermines trust in LinkedIn as a secure and professional platform.


    Aiman Al-Hadhrami – Independent Cybersecurity Researcher 




    Wednesday, June 4, 2025

    Aiman Al-hadhrami WhatsApp Vulnerability

    Security Report – Privacy Vulnerability – WhatsApp 



    🛡 Ghost Reads on WhatsApp: A Silent Technical Flaw Compromising User Privacy and Causing Potential Social Consequences Through Fake Blue Read Receipts — A Serious Privacy Violation!


    Summary:

    This flaw allows a sender, whether intentionally or unintentionally, to remotely determine whether a recipient has read a message — indicated by the two blue ticks — even when the "Read Receipts" feature is disabled in WhatsApp.

    This constitutes a remote privacy violation and logic flaw, as it enables the sender to receive confirmation of message reading despite the recipient’s chosen privacy settings — violating their expectation of control and discretion.

    The issue occurs regardless of the recipient's configuration, and messages may appear as “read” even when they were not actually opened, creating a deceptive and misleading system behavior.

    This flaw undermines user trust in WhatsApp’s advertised privacy features and opens the door to potential social, emotional, and even legal consequences stemming from false read indicators.

    This issue was responsibly discovered and reported by Aiman Al-Hadhrami, an independent cybersecurity researcher. Meta acknowledged the issue as valid and reproducible, but no fix or mitigation has been implemented yet.


    Impact/Risk:

    • Violates user privacy settings.
    • Could be exploited for social pressure, emotional manipulation, or invasive behavior.
    • May cause interpersonal conflict, especially in sensitive or high-stakes communication.


    Why This Is Particularly Severe

    False Read Status (Deceptive State):

    The system falsely indicates that the message has been read, misleading the sender into believing it was seen.
    This can lead to psychological pressure on the recipient, or even legal or professional issues in contexts like business communication or legal notices.
    The appearance of "message read" without actual reading can cause serious issues in both professional and personal life. Examples include:

    1. In the workplace:
      When a manager sends important instructions or directives via WhatsApp, and it shows that the employee has read the message — when in fact they haven't — this can lead to serious misunderstandings.
      The employee may be held accountable for negligence or lack of response, and the situation may escalate to disciplinary actions or even termination.
    1. In marital relationships:
      A wife may send heartfelt messages expressing her emotions or needs, and it appears that her husband has read them, while he actually hasn't seen them.
      This can create feelings of neglect or emotional abandonment, leading to communication breakdowns that may result in major conflicts, or even divorce.
    1. In parent-child relationships:
      When a father sends messages to his son containing advice or requests, and it shows as "read," the father may assume the son is ignoring him — even if the son hasn't actually opened the messages.
      This can cause strain in the family relationship and may lead to drastic consequences, such as the father asking the son to leave the house.

    🏥 Critical Medical Scenario: When a False Read Receipt Could Cost a Life

    In medical environments — such as hospitals or emergency care units — timing is everything. Communication apps like WhatsApp are often used by frontline medical staff to urgently send lab reports, scans, and vital patient data to off-site specialists for immediate review and action.

    The Problem:

    Due to this vulnerability, a message may falsely appear as "read" (with blue checkmarks) even though the specialist has not opened it.

    The Consequence:

    • The attending medical staff believes the specialist has reviewed the case and is taking action.
    • In reality, the message has not been seen, and no decision or medical intervention is made.
    • This false assumption and delay may result in the patient’s condition deteriorating, or in the worst-case scenario:

    The patient may die due to lack of timely response.

    Why This Matters:

    This is not a hypothetical. It’s a direct consequence of misleading system behavior — a logic flaw that creates a false sense of communication, leading to fatal misunderstandings in high-stakes environments.


    Direct Violation of Privacy Principles:

    Even aside from user privacy preferences, showing a message as "read" when it hasn't actually been opened represents a fundamental flaw in system behavior and logic.
    It undermines user trust and contradicts the purpose of privacy settings.


    Potential for Social Engineering or Harassment:

    The flaw could be exploited to accuse or pressure the recipient — e.g., someone might say “you saw my message and ignored me” when the message was never actually viewed.
    This opens the door to manipulation, abuse, or targeted harassment.


    ⚠️ Trust and User Confidence:

    This vulnerability raises not only legal and ethical concerns but also fundamentally undermines user trust in WhatsApp’s stated privacy guarantees. Users who disable the "Read Receipts" feature do so with the clear expectation of full control over the visibility of their engagement with messages. They trust that their decision to withhold read confirmations will be respected by the system. However, when the platform falsely displays a message as “read”—despite the recipient never opening it—this represents a direct violation of user expectation, intent, and autonomy.

    According to WhatsApp’s official Privacy Policy, users are explicitly assured that disabling read receipts will prevent others from knowing whether a message has been read. When the system fails to uphold this assurance, it effectively transforms a user-configured privacy setting into a false sense of control, weakening both the credibility of the platform and its ability to safeguard interpersonal boundaries. In a communication platform relied upon by billions, this is not a trivial glitch — it is a critical privacy logic flaw with serious implications. Beyond legal noncompliance, this behavior raises deep ethical questions about how digital platforms manage user trust and behavioral signaling.

    Disabling read receipts is not a casual configuration; it is a deliberate expression of digital boundaries — an assertion of the user’s right to control how their attention and presence are perceived. A false read indication, even if unintentional, violates this right. It compromises the informational integrity of communication and diminishes user confidence in the platform's transparency and honesty.


    📬 Responsible Disclosure:

    Despite initial denials and dismissals from Meta, following multiple responsible disclosures regarding a critical privacy flaw. Meta appreciated the report and valued the efforts.

    Their exact words were:

     > “Hi Aiman, Thanks for writing in. We have discussed the issue at length and concluded that, whilst you reported a valid issue which the team may make changes based on...[ticket number: 24855322277404593]

     > “Hi Aiman, Thank you for your report. We were able to reproduce the behavior where a blue tick is shown incorrectly when the victim hasn’t read the message...” [ticket number: 24903344622602358]

    These statements represent an implicit acknowledgment by the vendor that the flaw exists.

    This confirms that the issue is not hypothetical, nor is it limited to a device-specific bug. It is a reproducible privacy violation with significant real-world consequences.


    📊 Impact Analysis:

    Remote Exploitability:

    The vulnerability is remotely exploitable, requiring no physical access or interaction from the victim.

    Privacy Violation:

    This vulnerability bypasses user-configured privacy settings and qualifies under CWE-359: Exposure of Private Personal Information to an Unauthorized Actor, as it discloses the recipient’s read status despite their explicit privacy settings. 

    Additionally, it falls under CWE-451: UI Misrepresentation of Critical Information, since the application displays misleading read receipts (blue checkmarks) even when the messages have not actually been opened — creating a false perception of user interaction.


    Real-World Consequences:

    Read receipt behavior has proven to cause serious misunderstandings and trust issues in personal relationships.

    Example: A real legal case in Taiwan demonstrated that the appearance of messages as 'read'—indicated by two blue ticks—without any reply was accepted as legal evidence of emotional abandonment. This highlights the severe risk posed by any flaw that leads to false read receipts.
    Source: BBC News https://www.bbc.com/news/world-asia-40632435


    Policy Breach:

    This flaw directly contradicts WhatsApp’s stated privacy policies, which guarantee user control over read receipt visibility and message interaction privacy. Furthermore, such a violation may constitute a breach of data protection laws, including the General Data Protection Regulation (GDPR) in the European Union, which mandates explicit user consent and transparency regarding data processing.

    Similarly, under U.S. privacy laws such as the California Consumer Privacy Act (CCPA), users have the right to know, control, and restrict how their personal data is accessed and used. Failing to uphold these standards could expose the platform to regulatory scrutiny and potential penalties.


    Nothing Is More Important Than People’s Lives:

    The goal of discovering vulnerabilities is not only to protect systems or improve software but to protect people first — especially when privacy flaws impact relationships, decisions, emotions, and everyday life.


    Why This Point Is Crucial:

    This vulnerability affects people’s lives, not just the code:
    It does not merely break the technical system; it breaks trust between individuals.
    It generates false behavior (messages shown as read even when they haven’t been), which leads to:
    • False accusations
    • Marital problems
    • Family conflicts
    • Workplace tensions
    • And even crimes or violence in sensitive contexts.


    Finally:

    This vulnerability transcends typical security flaws because it disrupts the fundamental trust and privacy that users expect from their communication tools.

    Addressing it is not just a matter of fixing code — it is a matter of safeguarding human dignity and social harmony. Its consequences reach far beyond technology, threatening real-world relationships and well-being.

    As an independent researcher, my intention is to promote trust, transparency, and user protection. I respectfully urge that this issue be addressed with urgency and transparency.


    🧪 Steps to Reproduce (Proof of Concept):

    Technical documentation was submitted to Meta.


    🎥 Supporting Material:

    The vulnerability report, including demonstrative video evidence, was submitted to Meta.

    📱📲 Video Demonstration Overview

    The video illustrates both the underlying logic flaw and a realistic use-case scenario, with a complete end-to-end reproduction performed on the latest official version of WhatsApp across both devices.

    🔹 First 10 minutes:

    • The recipient’s WhatsApp account has the Read Receipts” feature disabled.
    • The recipient does not open any incoming messages.
    • Despite this, the sender’s WhatsApp falsely displays blue ticks, indicating that the messages have been read.

    🔹 Final minute:

    • The recipient finally opens the messages, while “Read Receipts” remain disabled.
    • The blue ticks still appear — confirming the logic flaw and privacy setting bypass.

    ⚠️ Critical Medical Scenario Depicted

    The video simulates a real-world medical emergency involving urgent communication between an emergency physician and an off-site cardiologist:

    1. The physician sends updates about a 45-year-old male presenting with anterior STEMI symptoms.
    2. ECG scans, chest images, and lab tests are shared for immediate expert advice.
    3. The patient becomes hemodynamically unstable (BP drops to 80/50 mmHg).
    4. The physician sees blue ticks and assumes the cardiologist has read the messages.
    5. In reality, the cardiologist never opened the messages — and no reply is received in time.
    6. The patient goes into cardiac arrest and unfortunately passes away.
    7. The physician later informs the cardiologist that medical decisions were based on the assumption that the messages had been seen — due to the misleading blue ticks.


    Aiman Al-hadhrami — Independent Cybersecurity Researcher 


    Sunday, March 29, 2020

    Vulnerabilities in Ruckus Network Products


    Overview

    Researcher Security Advisory Several Security Flaws in CommScope Products Discovered by Independent Researcher Aiman Al-Hadhrami, a Student at UST, Sana'a, Yemen.



    Description

    Multiple critical vulnerabilities have been discovered by independent security researcher Aiman Yahya Al-Hadhrami from the Republic of Yemen, a student at the University of Science and Technology, Sana'a. These vulnerabilities affect CommScope and Ruckus products.

    The discovered issues include flaws in the Secure Boot mechanism and the Web GUI interface, which allow a remote attacker to bypass authentication and perform firmware upgrades using unauthorized images, triggered by a fundamental compromise stemming from critical vulnerabilities in the system’s chain of trust.

    These vulnerabilities allow attackers to exploit and perform RCE with root privilege escalation and persistence, bypass authentication mechanisms, gain unauthorized access, and ultimately achieve a full compromise and complete takeover of the affected system — gaining control over RoT, Secure Boot, bootloader, and kernel, completely bypassing, subverting and controlling all foundational security layers of the device remotely.


    A total of 10 CVEs have been identified, with Base Scores indicating Critical Impact:

    CVE-2020-22653   Base Score 9.8 CRITICAL
    Full device compromise: Exploits official image signature for unauthorized firmware injection and digital signature bypass.

    CVE-2020-22654   Base Score:  9.8 CRITICAL
    CVE-2020-22656   Base Score:  7.5 HIGH
     Secure Boot bypass: Forces Secure Boot into failed attempts state (rfwd).

    CVE-2020-22657   Base Score:  9.1 CRITICAL
    Unauthorized management access: Bypasses Web GUI login authentication.

    CVE-2020-22658   Base Score:   9.8 CRITICAL
    Complete firmware takeover: Switches to unauthorized image as primary verified image.

    CVE-2020-22659   Base Score:  7.5 HIGH
    Firmware spoofing: Forces injection of unauthorized  firmware signature.

    CVE-2020-22660   Base Score:  7.5 HIGH
    Unauthorized operation: Bypasses Secure Boot to run backup image.

    CVE-2020-22661   Base Score:  6.5 MEDIUM
    Loss of trusted backup: Erases and replaces secondary backup firmware.

    CVE-2020-22662   Base Score:  7.5 HIGH
    Regulatory violations, network interference: Enables illegal region codes and frequencies via command injection; creates excessive SSID interfaces.


    Impact/Risk

    ° The attacker can gain access to anywhere from thousands to millions of devices worldwide by exploiting a security vulnerability that allows them to identify these devices and their IP addresses. These devices send signals to the manufacturer, which the attacker can intercept to locate and target them. Once access is obtained, the attacker can implant modified firmware containing malicious commands to carry out cyberattacks. This firmware may also include spyware or data-stealing malware for espionage purposes. Additionally, the attacker may use these compromised devices as part of a botnet to launch DDoS attacks, overwhelming target systems with traffic.

    ° The vulnerabilities affected multiple devices, servers, and systems used in various sectors, including government offices, airports, hotels, companies, and hospitals around the world. If an attacker exploits these vulnerabilities in the healthcare sector, it could lead to severe consequences, including the disruption of medical devices and access to healthcare systems. Such attacks could cripple hospital network infrastructure, resulting in delays in medical procedures and critical care. In worst-case scenarios, this may lead to breaches of emergency systems, operating rooms, and intensive care units, potentially causing loss of lives.

    ° Illegal RF Operation: An attacker can configure the device to operate on illegal frequencies with unrestricted output power, violating air interface regulations, including FCC rules: 594280 D01, 594280 D02, and 442812 D01. Exploiting this vulnerability in sensitive locations such as airports could lead to severe consequences, including interference with radar systems and other critical communication channels, potentially causing operational disruptions and safety hazards.

    ° Attacks exploiting these vulnerabilities are classified as Advanced Persistent Threats (APT) due to the attacker’s ability to remotely and persistently gain control over the entire security architecture — including chain of trust, Web GUI, and firmware verification mechanisms — without detection. The attacks exploit weaknesses in these components to implant persistent, stealthy, and irreversible malware with root privileges. This enables long-term unauthorized access, espionage, disruption, or sabotage across critical infrastructure and sensitive networks, often without triggering security alerts or allowing recovery.

    ° Attackers can remotely take over systems, compromising them from the lowest operating and security layers up to the highest levels, resulting in complete device compromises that victims—including even the manufacturer—cannot recover from without the attacker’s cooperation.
    Moreover, neither the victims nor even the manufacturer can detect that the system is under unauthorized control, as the attacker’s code carries a signature that appears to have been legitimately issued by the company.

    ° Full remote compromise allows devices to be fully and remotely controlled by an attacker. Persistent backdoors can be implanted for various malicious purposes. Furthermore, future software updates can be permanently blocked by the attacker, preventing any remediation, and in the worst cases, the attacker may even brick the devices beyond repair, necessitating their complete replacement.


    Responsible Disclosure


    All discovered vulnerabilities were responsibly reported directly to CommScope Inc and its affiliated companies, providing them with full technical details necessary for understanding, reproducing, and fixing the issues. No exploit code or sensitive technical steps have ever been published or shared publicly, to protect critical infrastructure and prevent misuse.

    Affected Products

    R300, R310, R320, R500, R500e, R510, R600, R610, R700, R720, R750, T300, T300e, T301n, T301s, T310c, T310d, T310n, T310s, T610, T710, T710s, E510, H320, H510, M510, C110, C500, H500, T504, P300, ZoneDirector 1100, 1200, 3000, 5000; SmartCell Gateway 200; SmartZone 100, 300; Virtual SmartZone; Cloud (5.1.1), ZFsc8800s, ZFsc8800ac, ZF7321, ZF7321u, ZF7341, ZF7343, ZF7351, ZF7352, ZF7363, ZF7372, ZF7372E, ZF7441, ZF7025, ZF7055, ZF7761cm, ZF7762, ZF7762AC, ZF7762N, ZF7762S, ZF7762S-AC, ZF7762t, ZF7781cm, ZF7781cm-E, ZF7781cm-S, ZF7781fn, ZF7781fn-E, ZF7781M, ZF7781S, ZF7782, ZF7782E, ZF7782N, ZF7782S, ZF2741, ZF2741E, ZF2942, ZF7982, ZF7962, ZF7942.

    The following table outlines the vulnerable Ruckus products, the affected software versions, and the recommended mitigation actions:


    vulnerable      products
    Vulnerable      Releases
      Fixed Release
    Patch
    Release Date



    ZoneDirector
    10.0.x and before
    Upgrade to 10.0.1.0.93
    Feb 18, 2020
    10.1.x
    Upgrade to 10.1.2.0.277
    Feb 14, 2020
    10.2.x
    Upgrade to 10.2.1.0.159
    Feb 25, 2020
    10.3.x
    Upgrade to 10.3.1.0.24
    Feb 25, 2020
    10.4.x
    Upgrade to 10.4.0.0.70
    Feb 21, 2020











    SmartZone
    3.4.2
    For Vulnerable v/SZ Release
    3.4.2, upgrade to 3.4.2 Patch-4 build
    3.4.2.0.245; and then customer will be to
    able apply AP Patch scg-ap-3.4.2.0-
    911.patch to an AP zone.




    Feb 25, 2020
    3.6.2
    For Vulnerable v/SZ Release
    3.6.2, upgrade to 3.6.2 Patch-2 build
    3.6.2.0.250; and then customer will be
    able to apply AP Patch scg-ap-3.6.2.0-
    765.patch to an AP zone.



    Feb 25, 2020
    5.0, 5.1
    For Vulnerable v/SZ Releases 5.0 and 5.1,
    upgrade to 5.2 GA Refresh build
    5.2.0.0.699; and then customer will be
    able to apply AP Patch scg-ap-5.2.0.0-
    5010.patch to an AP zone.



    Feb 25, 2020
    5.2
    For Vulnerable v/SZ Release 5.2 GA
    Refresh build 5.2.0.0.699 ; customer will
    be able to apply AP Patch scg-ap-5.2.0.0-
    5010.patch to an AP zone.


    Feb 25, 2020
    Cloud
    5.1.1
    No end-user action required
    Feb 29, 2020
    Unleashed C110 AP
    All version
    TBD
    TBD
    Unleashed E510 AP
    All version
    TBD
    TBD
    Unleashed H320 AP
    All version
    TBD
    TBD
    Unleashed H510 AP
    All version
    TBD
    TBD
    Unleashed M510 AP
    All version
    TBD
    TBD
    Unleashed R320 AP
    All version
    TBD
    TBD
    Unleashed R310 AP
    All version
    out of software support.
    End of Life
    Unleashed R500 AP
    All version
    out of software support.
    End of Life
    Unleashed R510  AP
    All version
    TBD
    TBD
    Unleashed R600 AP
    All version
    out of software support.
    End of Life
    Unleashed R610 AP
    All version
    TBD
    TBD
    Unleashed R710 AP
    All version
    TBD
    TBD
    Unleashed R720 AP
    All version
    TBD
    TBD
    Unleashed R750 AP
    All version
    TBD
    TBD
    Unleashed T300 AP
    All version
    out of software support.
    End of Life
    Unleashed T300e AP
    All version
    out of software support.
    End of Life
    Unleashed T301n AP
    All version
    out of software support.
    End of Life
    Unleashed T301s AP
    All version
    out of software support.
    End of Life
    Unleashed T310c AP
    All version
    TBD
    TBD
    Unleashed T310d AP
    All version
    TBD
    TBD
    Unleashed T310n AP
    All version
    TBD
    TBD
    Unleashed T310s AP
    All version
    TBD
    TBD
    Unleashed T610 AP
    All version
    TBD
    TBD
    Unleashed T710 AP
    All version
    TBD
    TBD
    Unleashed T710s AP
    All version
    TBD
    TBD
    Solo C110 AP
    All version
    TBD
    TBD
    Solo C500 AP
    All version
    out of software support.
    End of Life
    Solo H500 AP
    All version
    out of software support.
    End of Life
    Solo E510 AP
    All version
    TBD
    TBD
    Solo R300 AP
    All version
    out of software support.
    End of Life
    Solo H320 AP
    All version
    TBD
    TBD
    Solo H510 AP
    All version
    TBD
    TBD
    Solo M510 AP
    All version
    TBD
    TBD
    Solo R320 AP
    All version
    TBD
    TBD
    Solo R310 AP
    All version
    Upgrade to 110.0.0.0.2005
    Feb 28, 2020
    Solo R500 AP
    All version
    Upgrade to 110.0.0.0.2005
    Feb 28, 2020
    Solo R500e AP
    All version
    Upgrade to 110.0.0.0.2005
    Feb 28, 2020
    Solo R510  AP
    All version
    TBD
    TBD
    Solo R600 AP
    All version
    Upgrade to 110.0.0.0.2005
    Feb 28, 2020
    Solo R610 AP
    All version
    TBD
    TBD
    Solo R700 AP
    All version
    out of software support.
    EOL
    Solo R710 AP
    All version
    TBD
    TBD
    Solo R720 AP
    All version
    TBD
    TBD
    Solo R750 AP
    All version
    TBD
    TBD
    Solo T300 AP
    All version
    Upgrade to 110.0.0.0.2005
    Feb 28, 2020
    Solo T300e AP
    All version
    Upgrade to 110.0.0.0.2005
    Feb 28, 2020
    Solo T301n AP
    All version
    Upgrade to 110.0.0.0.2005
    Feb 28, 2020
    Solo T301s AP
    All version
    Upgrade to 110.0.0.0.2005
    Feb 28, 2020
    Solo T310c AP
    All version
    TBD
    TBD
    Solo T310d AP
    All version
    TBD
    TBD
    Solo T310n AP
    All version
    TBD
    TBD
    Solo T310s AP
    All version
    TBD
    TBD
    Solo T610 AP
    All version
    TBD
    TBD
    Solo T710 AP
    All version
    TBD
    TBD
    Solo T710s AP
    All version
    TBD
    TBD
    Solo T504 AP
    All version
    Upgrade to 110.0.0.0.2005
    Feb 28, 2020
    Solo P300 AP
    All version
    Upgrade to 110.0.0.0.2005
    Feb 28, 2020
    Solo ZFsc8800s AP
    All version
    out of software support.
    End of Life
    Solo ZFsc8800ac AP
    All version
    out of software support.
    End of Life
    Solo ZF7321 AP
    All version
    out of software support.
    End of Life
    Solo ZF7321u AP
    All version
    out of software support.
    End of Life
    Solo ZF7341 AP
    All version
    out of software support.
    End of Life
    Solo ZF7343 AP
    All version
    out of software support.
    End of Life
    Solo ZF7351 AP
    All version
    out of software support.
    End of Life
    Solo ZF7352 AP
    All version
    out of software support.
    End of Life
    Solo ZF7363 AP
    All version
    out of software support.
    End of Life
    Solo ZF7372 AP
    All version
    out of software support.
    End of Life
    Solo ZF7372E AP
    All version
    out of software support.
    End of Life
    Solo ZF7441 AP
    All version
    out of software support.
    End of Life
    Solo ZF7025 AP
    All version
    out of software support.
    End of Life
    Solo ZF7055 AP
    All version
    out of software support.
    End of Life
    Solo ZF7761cm AP
    All version
    out of software support.
    End of Life
    Solo ZF7762 AP
    All version
    out of software support.
    End of Life
    Solo ZF7762AC AP
    All version
    out of software support.
    End of Life
    Solo ZF7762N AP
    All version
    out of software support.
    End of Life
    Solo ZF7762S AP
    All version
    out of software support.
    End of Life
    Solo ZF7762S-AC AP
    All version
    out of software support.
    End of Life
    Solo ZF7762t AP
    All version
    out of software support.
    End of Life
    Solo ZF7781cm AP
    All version
    out of software support.
    End of Life
    Solo ZF7781cm-E AP
    All version
    out of software support.
    End of Life
    Solo
    ZF7781cm-S AP
    All version
    out of software support.
    End of Life
    Solo ZF7781fn AP
    All version
    out of software support.
    End of Life
    Solo ZF7781fn-E AP
    All version
    out of software support.
    End of Life
    Solo ZF7781M AP
    All version
    out of software support.
    End of Life
    Solo ZF7781S AP
    All version
    out of software support.
    End of Life
    Solo ZF7782 AP
    All version
    out of software support.
    End of Life
    Solo ZF7782E AP
    All version
    out of software support.
    End of Life
    Solo ZF7782N AP
    All version
    out of software support.
    End of Life
    Solo ZF7782S AP
    All version
    out of software support.
    End of Life
    Solo ZF2741 AP
    All version
    out of software support.
    End of Life
    Solo ZF2741E AP
    All version
    out of software support.
    End of Life
    Solo ZF2942 AP
    All version
    out of software support.
    End of Life
    Solo ZF7982 AP
    All version
    out of software support.
    End of Life
    Solo ZF7962 AP
    All version
    out of software support.
    End of Life
    Solo ZF7942 AP
    All version
    out of software support.
    End of Life


    Solution

    • CommScope has released patches for some products and is in the process of developing and releasing software fixes for all affected products. We recommend installing these updates as soon as they become available.

    • EOL (End-of-Life) Products will not receive fix patches.

    Aiman Al-Hadhrami — Independent Cybersecurity Researcher