HOLY FUCK…. So I ordered a form 1 kit from quietbore.  They wanted to see my DL and form1 paperwork, so sure why not, other FFL’s have it.  

So I got their order email, my documents are sitting in an Wordpress directory on their web site.  If you know they URL you can see it WITHOUT any authentication.

Attached File



Just emailed them and was going to call but there is no phone number listed.


The point is that is that they are using Wordpress and it is always and will be always be hacked in the future.  You don't store shit like this on a fucking wordpress site.

WTF..... Seriously..... WTF.....

Thanks.

Sincerely,

AFT

Hi,

Thank you for bringing to everyone's attention the potential cyber risk of QB's current document/customer info storage practices. As a multiple-time customer, I am not happy with what you are proposing they are doing with their cyber hygiene practices.

I'm a cybersecurity engineer with a networking background, but have 0% experience with WordPress, focusing mainly on DoD stuff -- WP just doesn't figure into my career at all since we never use it where I am at and have worked. Hence, I'm a bit confused on how you are accessing everyone's data (is that your contention?), and/or, why it's as grave as you say (minus the fact that they are retarded for using WordPress in this manner, since it is, as you've said, always hackable). Your two threads seem to indicate that anyone can access the data by navigating the Directory parent/child relationships. But, I've gone through my own order emails and have tried to publically/Unauth navigate the site and keep finding I arrive at a "Forbidden" error message -- much like one would expect if the .htaccess file were properly modified to forbid Index access.

1) Are you saying that if someone guessed the directory/file structure and URL convention they could access all uploaded files

OR

2) Are you saying there is a WordPress-Savvy backdoor to arrive at the individual files

OR

3) Are you saying that if their site/server was compromised all of said info would be open to an attacker?

I'd be interested in which number or combo thereof you are deriving your conclusion from and pursuant to that, how we can assist QB in sanitizing this from public view. If they refuse, as they seem to treat simple order emails as NFA (which they aren't), then it would seem legal recourse is in order since this is a violation of PII storage practices as Industry standards demand.

It certainly is stupid of them to store PII like that as it provides a vector for:

A) NFA items' targeted theft
B) Anti-2A Swatting, either in the form of claimed threats or claimed skirting of NFA laws, e.g., "He tried to sell me an off the books suppressor, SN# XXXX", etc.

Thanks

Any upload from a WordPress site would go here, as this is the expanding folder on a wordpress site so the data would always go here.  It could be part of a plug in or media uploads but it would be in the same directory either way.  There are plug ins to hide the folder, which they could be doing and the prompt still shows /wp-conten.  The bigger thing is what happens later, do they move these documents offline once a week or whatever.  Security is not necessarily any different than any other websites that have upload ablity.

OP, There is a firearm business at same location, if you can use the phone number to contact them.

From a cursory reading on WP, I gathered as much. My question is what *exactly* is the OP contending is an issue and how does an attack mechanism be understood in light of the claim. Is it that they even retain the data, or that it's in a webserver, or is he claiming that it's literally open to see the Index and files (cus I'm only getting a forbidden message when trying to nav away from my specific info), etc.

They do not seem to transfer the files to an offline or more secure/obscure location. Last time I ordered was in months ago and my info is still there

Companies like this don't deserve to be in business.

They demand very personal information (SSN, UPINs, addresses, etc) when it's not required by law. Then they store it out in the open. I was just talking to a buddy how dumb it was to trust these buffoons with your personal info, turns out they were more incompetent than I'd imagined.

Fair question.  Ok, walk thru this with me.

You check your email.
You open the order email they just sent you.
In the order email there is a link.
You click that link and it downloads your form1 with ALL your personal info.

Doesn't sound so bad right?

Well, if anyone else gets a hold of that link, they can get the same file too.  No password protection, nothing.  If they have the link they have the file.  If they get a hold of that email they can download that file.  Any system administrator than can access your email can download that file.  

Any scarier now?

How about more issues...

All of those form 1's and those driver licenses are stored exactly the same way.  If someone guesses a filename they can get your form1 even if they don't have that order email.

Not scary enough?

Ok.. another one.

Since all those files are stored in a directory on that webserver (apache, I think).  Only one apache setting is stopping directory browsing.  Meaning if that is turned off then just by going to that directory you can see EVERY single file in that directory without having to guess the name of the file or have the link to that file.  You WILL SEE THEM ALL.

Not scary enough right???

Ok.. one more.  Their website is running Wordpress.  If you look at the security bulletins for Workpress you will see that they have 20 (twenty, count em, twenty) directory transversal critical security alerts in the last few years.  Directory transversal bugs/exploit means via a bug in Wordpress you can look at any file on that server.   We don't know what version they are running right now but if it is an older version that issue will expose ALL the form 1s and driver licenses.  I didn't check all 20 issues against their server.  Gee do you think script kiddies and hackers running automated scripts won't check?  

Even if they are on the latest version, do you really think they should trust Wordpress?  At the very least they could password protect that directory and they choose not to.

I dunno man.... you tell me....   Is that enough to be concerned about?

In and of itself, there is nothing "wrong" with Wordpress.

The problem is poor web development and hygiene. There is an actual difference.

Organizations like Quietbore like to make excuses for lacking the skillset or for being inept at it but if you are going to conduct business on the Internet, you have zero excuses.

Those fuckers at quietbore still haven't removed my driver license from their web site.

https://i.imgur.com/9t8WtDZ.png

ha 20? try hundreds if not more. PHP and wordpress is a hot mess. it always has been. wordpress might have 20 in the past year or so, but wordpress (and the fact that it's still php) is a disaster.

EDIT: Wordpress' upload directory was never intended to house PII. it was meant as a place to store content that would be served to its public facing website/blog.

An apparent employee (owner?) CA_PrestonF of quiet bore basically admitted they intentionally left OPs personal info up as a "Fuck You" for being annoying about the issue. Pretty fucked.  I certainly won't do business with a dude who doxes his customers and thinks its funny, particularly when NFA stuff is involved.  

https://www.reddit.com/r/NFA/comments/secgnn/do_not_give_your_information_to_quietbore/

Seems like the number of quietbore purchases I make will remain limited to just the one.

Preston handled this one quite poorly. His 22 kits were good and easy to put together but I'll never buy from him again. Double and tripling on being an asshole with customers' personal data is a really poor business move.

Goddamnit. I ordered one of their kits a few days ago and another this morning

IM me the name of the file you uploaded but I will likely be able to see the file if you do.

Ho-Lee-Phuk

I believe there was identify theft as a results of Quiet bore's action and lack of action after a data breech was reported to them.

I believe that formal complaints against Quietbore is the next step forward, at both the Federal and State level. I have reached out to the attorney generals to both states as well.

Please feel free to reach out to me via IM if you have also been a victim of identity theft or feel like your information has been published to the public without your knowledge or approval and would like to join in a complaint against this business.