We pwned X, Vercel, Cursor, and Discord through a supply-chain attack

Posted by hackermondev 5 days ago

We pwned X, Vercel, Cursor, and Discord through a supply-chain attack(gist.github.com)

1162 points | 434 commentspage 4

whimsicalism 5 days ago|

fascinating! but this is not a supply-chain attack unless i'm misunderstanding

td2 5 days ago|

It kinda is no? Discord uses mintlyfly. Minitlifly was vulnerable. And because they got access to mintlifly, discord was now also attackable

Aachen 4 days ago|||

That's how language shifts. Supply chain attacks are broadly seen as a scary new thing, so like with any such term, people try to shoehorn things they find into its meaning. Those who fall for and repeat it shift the language. The same happened to the word 0day: it used to mean "a vulnerability that you specifically haven't had a chance to patch because it has been known to the world for 0 days". A scary thing. Now it's commonly used as synonym for the word vulnerability

I wonder if every vulnerability is soon called a supply chain attack:

- Microsoft releases a Windows security update -> Discord uses Windows -> supply chain attack on Discord

- User didn't install security updates for a while -> brought their phone to work -> phone with microphone sits in pocket in meeting room -> supply chain attack

Everything has dependencies that can be vulnerable, that doesn't mean "the supply chain" was attacked in a targeted effort by some attacker

whimsicalism 5 days ago|||

that’s just a vulnerability in a dependency. a supply-chain attack is introducing malicious code in a dependency

Defletter 5 days ago||

Okay, seriously, can we just get one, just ONE document/image spec that doesn't let you embed scripts or remote content? What is with this constant need to put the same exactly vulnerability into EVERYTHING?! Just let me have a spec for completely static documents, jfc!

codedokode 5 days ago||

It is clear that SVG should not support scripts and CSS in SVG files. Those who need them can simply create HTML with inline SVG tags and scripts. And SVG should contain only shapes, effects and transformations.

Or maybe we need a new image format, "SVG without scripts and CSS".

DoctorOW 5 days ago|

CSS and scripts are wildly different. It's like responding to the old MS Office attacks with "Word without macros or font selection"

codedokode 3 days ago||

The problem with CSS is that if you want to write an SVG viewer, you have to implement a whole CSS engine, which might be more complex than SVG renderer itself. And if you create an image in an editor, like Inkscape, you don't use CSS anyway. CSS is meant to be used when you write the code manually (instead of using an editor), for example, in a web app, and in this case you could use HTML as well.

So yes, CSS is not needed.

mihaaly 5 days ago||

Move fast and break things?

I have this feeling with almost all web tools I am required to use nowadays.

No trust.

doganugurlu 5 days ago|

Move fast and break _other people's things._

quasarj 5 days ago||

One of these days I'm gonna have to learn why cross-site scripting even matters, especially with modern browsers restricting a script's access to anything local

Sohcahtoa82 5 days ago||

The attacker can do anything using your session.

The "Hello world" examples always show using it to steal your cookies, which obviously doesn't work now when nearly every site uses the "httpOnly" flag which makes the cookie inaccessible to JavaScript, but really, stealing your session isn't necessary. They just have to make the XSS payload run the necessary JavaScript.

Once the JavaScript is running on the page, all bets are off. They can do ANYTHING that the page can do, because now they can make HTTP requests on your behalf. SOP no longer applies. CSRF no longer protects you. The attacker has full control of your account, and all the requests will appear to come from YOUR browser.

LocalPCGuy 5 days ago|||

If I can run my own code but in your context, I can pull in malicious scripts.

With those (all these are "possible" but not always, as usual, it depends, and random off the top of my head):

- I can redirect you to sites I control where I may be able to capture your login credentials.

- May be able to prompt and get you to download malware or virus payloads and run them locally.

- Can deface the site you are on, either leading to reputational harm for that brand, or leading you to think you're doing one thing when you're actually doing another.

- I may be able to exfiltrate your cookies and auth tokens for that site and potentially act as you.

- I might be able to pivot to other connected sites that use that site's authentication.

- I can prompt, as the site, for escalated access, and you may grant it because you trust that site, thereby potentially gaining access to your machine (it's not that the browsers fully restrict local access, they just require permission).

- Other social engineering attacks, trying to trick you into doing something that grants me more access, information, etc.

rainonmoon 5 days ago|||

It's a good question and one mature orgs ask themselves all the time. As you can see from most of the replies here, XSS captures the fancy of the bug bounty crowd because there are tonnes of hypothetical impacts so everyone is free to let their imagination run wild when arguing with triagers. It's also the exploit nonpareil for nerdsnipers because sanitisation is always changing and people get to spend their days coming up with increasingly ridiculous payloads to bypass them. In reality, find me one active threat actor who has compromised a business lately with an XSS. It's not an irrelevant risk, but the attention it gets is wildly disproportionate to its real-world impact.

gowld 5 days ago||

You log in to goodsite.com

goodsite.com loads a script from user-generated-content-size.com/evil.js

evil.js reads and writes all your goodsite.com account data.

Aeolun 5 days ago||

Damn, this is a good era to be in high school (or university) with a lot of free time. $4000 is a pretty good haul for a few hours of work poking at stuff.

enescakir 5 days ago||

They have more security incidents than you'd expect for a documentation company. There was another one just last month.

wbnns 4 days ago||

The collected bounty on this should have been so much higher than $14K :/

davidfstr 4 days ago||

> If you didn't know, you can embed JavaScript into an SVG file.

Oh yikes. I did not know.

greesil 5 days ago|

Everything is Swiss cheese. Let's just go back to paper and pen and one time pads.

More comments...