Cybersecurity firms clash over allegation that 'terabytes' of client data was leaking online

A security firm has hit back at claims that its software was leaking "terabytes" of client data, saying the capability in question was a feature, not a bug. Meanwhile, the company making the accusations has now been criticised for rushing to publish the disclosure without warning.

On Wednesday 9 August, DirectDefense released a threat report asserting that a popular software tool from Carbon Black, another US cybersecurity firm, was actually a "pay-for-play exfiltration botnet" that was leaking customer data, network intelligence and passwords.

Jim Broome, president of DirectDefense, claimed that his company had found "hundreds of thousands of files comprising terabytes of data" after looking into how client data and files were being shared with a third-party, cloud-based, malware scanner.

"Cloud-based multi-scanners operate as for-profit businesses," he wrote in a blog post.

"This means that files uploaded by Cb Response [the software tool] customers first go to Carbon Black but then are immediately forwarded to a cloud-based multi-scanner, where they are dutifully spread to anyone that wants them and is willing to pay."

The DirectDefense chief acknowledged the company had not "performed an exhaustive analysis of the breadth of the leaks" but still claimed to have uncovered a "serious breach of confidentiality".

The problem, to some, was that it failed to tell Carbon Black before disclosing.

The swift response

"[The blog] incorrectly asserts an architectural flaw in Cb Response that leaks customer data," responded Michael Viscuso, the cofounder of Carbon Black. "This is an optional feature to allow customers to share information with external sources," he added.

Viscuso stressed that the sharing of client data was disabled by default.

In his own blog post, he hit back: "We allow customers to opt in to these services and inform them of the privacy risks associated with sharing. Our products are not dependent on these services."

"We appreciate the work of the security research community," he continued. "However, it is important to note that Carbon Black was not informed about this issue by DirectDefense prior to publication of the blog to validate their findings.

"For example, the blog asserts that this is an architectural flaw in all Cb products.

"To the contrary, this is exclusively a Cb Response feature – not included in Cb Protection or Cb Defense. It is also not a foundational architectural flaw. It is a feature."

And the sparring didn't end there.

Broome later responded by saying that Carbon Black's in-depth response to the discovery was "just more validation of our findings".

He wrote in, yes, another blog post: "Our assertion is, this is not a vulnerability in the product, but an architectural or integration issue between vendors."

While the security industry thrives on cooperation between vendors and researchers, it is typically ruled by the idea of responsible disclosure – which means giving companies a chance to respond to any issues found in products or software before the information hits the public domain.

Ultimately, this led many to criticise the work of DirectDefense, even if some of its findings were valid. "Carbon Black also said DirectDefense never notified them about their findings in advance. Comes across as ill-conceived PR play," tweeted security journalist Brian Krebs.