Belgian CVD is deeply broken
10 months ago
- #Vulnerability Disclosure
- #Cybersecurity
- #Belgium
- The author discovered a vulnerability in KBC's eBanking portal, allowing login bypass with minimal effort.
- Attempted responsible disclosure to KBC and the Centre for Cybersecurity Belgium (CCB), but faced legal threats and denial of the vulnerability.
- Belgian CVD (Coordinated Vulnerability Disclosure) system is criticized as broken, with legal and procedural barriers discouraging reporters.
- The CCB and KBC mishandled the report, focusing on formalities rather than addressing the security flaw.
- The vulnerability stems from insufficient binding between KBC's browser session and the itsme authentication app, a design flaw.
- Despite itsme having a mitigation mechanism (Proof of Possession of Registration), KBC's implementation lacks this security layer.
- The author highlights systemic issues: treating reporters as criminals, lack of public disclosure, and imbalance in reporter rights.
- Recommendations include legal protection for reporters, public disclosure allowances, and upskilling the CCB for better engagement.