We pwned X, Vercel, Cursor, and Discord through a supply-chain attack

Posted by hackermondev 5 days ago

We pwned X, Vercel, Cursor, and Discord through a supply-chain attack(gist.github.com)

1162 points | 434 commentspage 2

bigthroat 4 days ago|

Interesting timing — we captured downstream exploitation of this exact attack surface.

  38 days after @hackermondev's disclosure, our automated OSINT harvester pulled 121 IOCs from OpenPhish/OTX:           
                                                                                                                        
  - 101 URLs for discord.flawing.top/blog/* (mimicking Discord's documentation structure)                               
  - 20 URLs for openopenbox301.vercel.app (phishing hosted ON Vercel)                                                   
                                                                                                                        
  The attackers read the same disclosures we do. They just build infrastructure instead of writing reports.             
                                                                                                                        
  Evidence (queryable):                                                                                                 
  curl "https://analytics.dugganusa.com/api/v1/search?q=discord.flawing.top"                                            
                                                                                                                        
  Full writeup with IOCs: https://www.dugganusa.com/post/mintlify-xss-downstream-exploitation-captured                  
                                                                                                                        
  STIX feed (free): https://analytics.dugganusa.com/api/v1/stix-feed

throwaway613745 5 days ago||

Ok, I’m never opening an svg ever again.

Found by a 16 year old, what a legend.

prmoustache 5 days ago|

Open it with a browser running inside a jail.

ex-aws-dude 5 days ago||

I tried that and they wouldn't let me bring my laptop in

prmoustache 4 days ago|||

https://man.freebsd.org/cgi/man.cgi?jail https://github.com/Zouuup/landrun

gavinray 4 days ago|||

Alright, I chuckled.

bluetidepro 5 days ago||

Slightly related, as someone who doesn’t engage in this type of work, I’m curious about the potential risks associated with discovering, testing, and searching for security bugs. While it’s undoubtedly positive that this individual ultimately became a responsible person and disclosed the information, what if they hadn’t? Furthermore, on Discord’s side, what if they were unaware of this person and encountered someone attempting to snoop on this information, mistakenly believing them to be up to no good? Has there been cases where the risk involved wasn’t justified by the relatively low $4k reward? Or any specific companies you wouldn’t want to do this with because of a past incident with them?

michaelt 5 days ago||

If you engage in “white hat security research” on organisations who haven’t agreed to it (such as by offering roles of engagement on a site like hacker one) there is indeed a risk.

For example they might send the police to your door, who’ll tell you you’ve violated some 1980s computer security law.

I know 99.99% of cybercrime goes unpunished, but that’s because the attackers are hard to identify, and in distant foreign lands. As a white hat you’re identifiable and maybe in the same country, meaning it’s much easier to prosecute you.

pverheggen 5 days ago|||

> Furthermore, on Discord’s side, what if they were unaware of this person and encountered someone attempting to snoop on this information, mistakenly believing them to be up to no good?

Companies will create bug bounty programs where they set ground rules (like no social engineering), and have guides on how to identify yourself as an ethical hacker, for example:

https://discord.com/security

jijijijij 5 days ago||

There are laws governing these scenarios. It's different everywhere. Portugal just updated theirs in favor of security researchers: https://www.bleepingcomputer.com/news/security/portugal-upda...

ta1999 5 days ago||

Not shocked given the following statement from Mintlify to a recruiter a few months ago:

"I'd rather hire a junior dev who knows the latest version of NextJS than a senior dev who is experienced with an earlier version."

This would be a forgivable remark, except the recruiter was aware of the shortsightedness, and likely attempted to coach the hiring manager...

000ooo000 4 days ago|

You're much more charitable than I am. I would not call that forgivable.

vpShane 4 days ago||

It isn't, they have so much knowledge experience and foresight that has a significant gap in many ways.

hunvreus 5 days ago||

Mintlify does look pretty, but between that and all the React exploits, I'll stick with good ol' static sites.

Kinda why I built ReallySimpleDocs [1]. Add Pages CMS [2] to it and you're set.

[1]: https://reallysimpledocs.com/

[2]: https://pagescms.org

gowld 5 days ago||

The linked site https://heartbreak.ing/ explains that Mintlify disabled CORS, so that 3rd party sites can run code in your Mintlify-using environment (X, Vercel, etc).

The OP site says that .svg files can only run scripts if they are directly opened, not via <img> tags.

So how does the attack work?

LocalPCGuy 5 days ago|

My understanding, the SVGs were imported directly and embedded as code, not as a `src` for an img tag. This is very common, it's a subjectively better (albeit with good security practices) way to render SVGs as it provides the ability to adjust and style them via CSS as they are now just another element in the HTML DOM. It should only be done with "trusted" SVGs however!

As for CORS, they were uploading the SVGs to an account of their own, but then using the vulnerabilities to pivot to other accounts.

gowld 5 days ago||

Thanks, that makes sense. Strange that the writeup skipped the most important step in the vulnerability!

trollbridge 4 days ago||

A lesson from this is that you shouldn't host third-party stuff in your own domain. Instead of placing it on docs.discord.com, place it on discord-docs.com.

matt3210 4 days ago||

>AI-powered documentation platform. You write your documentation as markdown and Mintlify turns it into a beautiful documentation platform

Why do you need AI for this? Aren't there tons of packages which do very similar things without AI?

zahlman 4 days ago|

For that matter, why do you need SaaS for this? Aren't there tons of simple locally runnable solutions, including SSGs?

j_w 4 days ago||

Well if they don't do SOMETHING with AI for their documentation how are they going to put it on their resumes?

ddtaylor 5 days ago|

$11k in bounties. Might have got more from the onion.

vablings 5 days ago||

Stupid, especially because he is a kid and young in his career. His lifetime earnings and ability to score a better paying job is worth way more than an extra couple thousand dollars selling this kind of exploit to criminals. It's why NDA's for security vulnerabilities are harmful because it doesn't allow a kind of social credit accumulation

azemetre 5 days ago||

Back in the day the US government would give you $20k-60k cash in a nice briefcase for this type of exploit. Just another thing big tech has ruined I suppose.

acheong08 5 days ago|||

Apple gave me $47k back when I was 16 and it definitely changed my life. Was subsequently able to get out of my 3rd world country and pay for university in the UK. While the quality of education is disappointing, having a graduate visa makes it so much easier to get a job or start a business there.

tptacek 5 days ago||||

Can you cite a source for that claim? The USG paying mid-5-figures for an XSS vulnerability? That's news to me.

azemetre 5 days ago|||

The book "This Is How They Tell Me the World Ends" by Nicole Perlroth, while it's about the history of cyberweapons it does a very good job detailing the late 90s to early 2010s exploit market.

I don't have it in front of me, but I'm talking about the "nobody but us" era of exploit markets:

https://en.wikipedia.org/wiki/NOBUS

Where the NSA seemingly was buying anything, even if not worthwhile, as a form of "munitions collection" to be used for the future attacks.

edit: this mostly ended in the US because other nations started paying more, add in more regulations (only a handful companies are allowed to sell these exploits internationally) and software companies starting to do basic security practices (along with ruling out their own bug bounties), it just mostly whimpered away.

Also relevant to the discussion, the book discusses how the public exploit markets are exploitive to the workers themselves (low payouts when state actors would pay more) and there are periods of times where there would be open revolts too (see 2009 "No More Free Bugs" movement, also discussed in the book).

Definitely worth it if you aren't aware of this history, I wasn't.

tptacek 5 days ago||

I haven't read her book, am myself somewhat read in to the background here, and if she's claiming NSA was stockpiling serverside web bugs, I do not believe her.

In reality, intelligence agencies today don't even really stockpile mobile platform RCE. The economics and logistics are counterintuitive. Most of the money is made on the "backend", in support/update costs, paid in tranches; CNE vendors have to work hard to keep up with the platforms even when their bugs aren't getting burned. We interviewed Mark Dowd about this last year for the SCW podcast.

azemetre 5 days ago||

Maybe there is a misunderstanding, I'm not saying that the NSA would be buying XSS scripts. I'm saying that if this was 35 years ago the NSA would be buying exploits with common user software. Back then the exploits were "lesser" but there still was a market and not every exploit that was bought was a wonder of software engineering. Nowadays the targeted market is the web and getting exploits on some of the most used sites would be worthy of buying.

Kid was simply born in the wrong era to cash out easy money.

tptacek 5 days ago||

I think you're wrong about this. 35 years ago was 1990. Nobody was selling vulnerabilities in 1990 at all. By 1995, I was belting out memory corruption RCEs (it was a lot easier then), and there was no market for them at all. And there has never been a market for web vulnerabilities like XSS.

Building reliable exploits is very difficult today, but the sums a reliable exploit on a mainstream mobile platform garner are also very high. Arguably, today is the best time to be doing that kind of work, if you have the talent.

0xbadcafebee 5 days ago|||

I can't imagine intelligence agencies/DoD not doing this with their gargantuan black budgets, if it's relevant to a specific target. They already contract with private research centers to develop exploits, and it's not like they're gonna run short on cash

tptacek 5 days ago||

If that were the case, we'd routinely see mysterious XSS exploits on social networks. The underlying bugs are almost always difficult to target! And yet we do not.

The biggest problem, again, is that the vulnerabilities disappear instantaneously when the vendors learn about them; in fact, they disappear in epsilon time once the vulnerabilities are used, which is not how e.g. a mobile browser drive-by works.

0xbadcafebee 4 days ago|||

They have a class of attacks which are used for targeted intrusion into foreign entities. Typically espionage or cyberwarfare, so they're not often used (they're aware they might be a one-use attack), but some persist for a long time. Foreign entities also tend not to admit to the attacks when found, so if the vendor is a US entity, often the vendor doesn't find out. We do the same; when our intelligence agencies find out about a US compromise, they often keep mum about it.

I'm not talking about XSS specifically, I mean in general. An XSS isn't usually high-value, but if it affects the right target, it can be very valuable. Imagine an XSS or CSRF vuln in a web interface for firmware for industrial controls used by an enemy state, or a corporation in that state. It might only take 2 or 3 vectors to get to that point and then you have remote control of critical infrastructure.

Oh - and the idea that a vendor will always patch a hole when they find it? Not completely true. I have seen very suspicious things going on at high value vendors (w/their products), and asked questions, and nobody did anything. In my experience, management/devs are often quite willing to ignore potential compromise just to keep focusing on the quarterly goals.

tptacek 4 days ago||

Are these things you think it stands to reason the IC must be doing, or things you know for a fact that they are doing? It stands to reason for a lot of people that the IC must stockpile vulnerabilities, but they don't (they keep just a couple working ones) --- just as an example of counterintuitive things about how CNE works.

0xbadcafebee 4 days ago||

It's partly fact, partly reasoning. One fact comes from STUXnet and Snowden Leaks, where they developed and deployed vulns that persisted for years without notice. The other fact is I've interviewed at the research centers and my eyes got pretty wide at the stuff they told me without an NDA, so they're definitely paying a lot to develop and acquire more vulns/new attacks. That was all 20 years ago, but the contracts are still there so there's no reason to suppose it stopped. There's also past NSA directors that've spoken at DEFCON for years about how they want more hackers, and the new cold war with China and Russia has been ongoing for nearly as long.

I'm not saying they stockpile vulns; I'm saying if somebody on the dark web said they had a vuln for sale for $50k, and it could help an agency penetrate China/Iran strategically, it would make no sense to turn it down, when they already pay many times more money to try to develop similar vulns.

tptacek 4 days ago||

You are here implicitly comparing Stuxnet and BULLRUN, two of the most sophisticated and expensive CNE operations ever conducted, with an XSS in Discord.

vablings 5 days ago|||

Why would YOU see a mystery XSS exploit on a social network? The idea of the DoD scoring these little exploits in a box is usually to deploy in a highly controlled and specific manner. You as a layperson is of no interest to them unless you are some kind of intelligence asset or foreign adversary

MajesticHobo2 5 days ago||

Wouldn't platforms see the supposed XSS payloads in their logs and publish analyses of them, or at the very least, announce that they happened?

rvnx 5 days ago|||

Seems like none of these major websites detected anything, and they are supposed to be top-notch in the world.

It's only because the researcher contacted them.

tptacek 5 days ago||

Also because nobody actively exploited them! You're using the word "detected" to mean "discovered", which nobody working in the field would ever do.

rvnx 5 days ago||

detected: WAF caught or detected the attack and raised an alert, post-exploitation

discovered: they audited or pentested themself and found out, preemptively

I just mean that Coinbase didn’t see anything happening and didn’t take action though the boy successfully exploited the vulnerability on their live system.

vablings 5 days ago|||

No not to individuals. There are absolutely contracts you can score for certain attack surfaces but that usually involves going through a company. If this person is from the united states, they will absolutely land themselves a good scholarship and a very well-paid job with a security clearance.

jijijijij 5 days ago||

$11k for the three of them in total! That's just bad PR.

More comments...