Pakistani security researcher Rafay Baloch has identified a couple of vulnerabilities in Avira’s BetaCenter site. The security holes are a directory traversal and a reflected cross-site scripting (XSS) issue.
“Directory traversal is an attack which allows an attacker to access restricted directories and execute commands in some cases. I was able to access winboot.ini file by using a directory traversal attack against Avira,” the expert explained.
He has reported his findings to the security solutions provider, which has forwarded the information to the third party that manages the BetaCenter.
The hosting company addressed the issues within a few hours after being contacted. For his efforts, Avira has rewarded the researcher with an acknowledgement certificate.
In addition, Centercode, the company that hosts the BetaCenter has rewarded Baloch with an Amazon gift card.
I advise security experts to follow Rafay Baloch’s example and responsibly disclose all the vulnerabilities they find.
It might be difficult sometimes, and it might not be as financially rewarding as using the flaws for illegal purposes, but at least you’ll be able to sleep well at night and feel good about yourself for helping make the Internet safer.
Updated to clarify that the Amazon gift card was offered to the researcher by Centercode, the company that hosts the BetaCenter, not Avira.