ICEBlock handled my vulnerability report in the worst possible way Last week, Micah Lee published a critique of the ICEBlock app by Joshua Aaron, which allows anonymous reporting of ICE (U.S. Immigration and Customs Enforcement) sightings within a 5-mile radius. Despite the app's apparently good intentions, Micah argued in a prior post that ICEBlock is "activism theater," noting issues like lack of verification of reports, disregard for local community advice, and poor security practices. --- Vulnerability Discovery and Disclosure Micah discovered that Joshua's server running the ICEBlock app is using outdated Apache httpd 2.4.57, which contains multiple critical security vulnerabilities, including CVE-2024-38476, that could allow remote server takeover. He purposefully was vague initially to avoid active exploitation before giving Joshua a chance to fix the problem. ICEBlock has over one million App Store downloads; it's unknown whether user data or reports are stored on the vulnerable server, but the risk is significant. --- Attempts to Notify the Developer Micah contacted Joshua via direct messages (DMs) on two Bluesky accounts: The official @iceblock.app account (which blocked Micah immediately after the initial message), and Joshua's personal @joshua.stealingheather.com account. On September 1, Micah warned Joshua about the critical Apache vulnerabilities and gave detailed information and references. Joshua responded only once from his personal account with a message accusing Micah of lying and refusing further communication. Micah invited corrections or clarifications if he was mistaken, but received no constructive response. --- Follow-Up and Deadline By September 3, Micah checked again and found no updates applied; the Apache server remained vulnerable. He informed Joshua, giving him a week to patch the server before public disclosure, explaining how simple the update process is (sudo apt update && sudo apt upgrade). Joshua did not respond and blocked Micah on the personal Bluesky account as well. --- Current Status and Concerns Even after more than a week, the ICEBlock server remains unpatched, exposing potential data or server compromise. The developer has been dismissive and uncooperative despite responsible disclosure. Micah hopes no user data is stored on that vulnerable server, given the risk. --- Additional Context Micah had previously criticized the project's security and privacy posture based on Joshua’s HOPE conference talk, where the developer admitted to lack of experience with security and ignoring community advice. The blog post aims to warn users and the community about the risk associated with trusting ICEBlock's "highly secure" claims. --- Key Links Vulnerability details for Apache 2.4.57 vulnerabilities: https://httpd.apache.org/security/vulnerabilities_24.html CVE-2024-38476 details: https://nvd.nist.gov/vuln/detail/CVE-2024-38476 Micah's original ICEBlock critique: Unfortunately the ICEBlock app is activism theater --- Summary Micah Lee responsibly disclosed multiple critical security flaws in the ICEBlock app's server to developer Joshua Aaron, who dismissed the warnings, blocked communication, and failed to patch the known vulnerabilities—even after explicit warnings and a clear deadline. This neglect jeopardizes user data and the app’s safety, undermining trust in ICEBlock’s security claims and raising serious concerns about the developer’s handling of security issues.