We pwned X, Vercel, Cursor, and Discord through a supply-chain attack

Posted by hackermondev 5 days ago

We pwned X, Vercel, Cursor, and Discord through a supply-chain attack(gist.github.com)

1162 points | 434 commentspage 5

gatestone 5 days ago|

Who ever invented the idea that you can embed Javasript to picture files?

geekamongus 5 days ago||

16 year olds rule the world.

rldjbpin 5 days ago||

this was very well-written and the moving parts were quite easy to understand.

simultaneously there are many opportunities throughout to harden one's app to avoid similar exploits.

voodooEntity 5 days ago||

Really nice finding for such a young folk - really liked reading into it.Also what i love most about it is what an actually simple vuln it is.

Tho what i find mostly funny bout it is how many people are complaining about the 4k$.

I mean sure the potential "damage" could have been alot higher, tho at the same time there was no contract in place or , at least as far as i understood, a clear bug bounty targeted. This was a, even if well done, random checking of XHR/Requests to see if anything vulnerable can be found - searching for kinda file exposure / xss / RFI/LFI. So everything paid (and especially since this is a mintlify bug not an actual discord bug) is just a nice net gain.

Also ill just drop here : ask yourself, are you searching for such vulns just for money or to make the net a safer place for everyone. Sure getting some bucks for the work is nice, but i personally just hope stuff gets fixed on report.

kringle 5 days ago||

- enormously awesome

- that bug bounty was insufficient (Fidelity?!?!)

blindriver 4 days ago||

every commit in every open source project should now go through an AI to see if it can detect anything nefarious. I'm sure there are ways to fool it but it makes it a lot easier for bad actors to get caught.

vittore 4 days ago||

Link here is to gist , but on lobste.rs some one posted link to Eva's blog. And it with links to friends blogs, feel so much like old internet. I dont even know what I enjoyed more, reading technical side or discovering this dark forest.

est 5 days ago||

could `Sec-Fetch-Dest: image` mitigate this?

YouAreWRONGtoo 5 days ago||

[dead]

normie3000 5 days ago|

Cool bug. Bug bounty money is pathetic.

bytecauldron 5 days ago||

I was going to ask. Isn't 4k from Discord pretty low for the work conducted here? I'm not familiar with bounty payouts. I'm hoping these companies aren't taking advantage of them.

oxandonly 5 days ago||

4k is sadly discords highest bounty they give out (screenshot from their bugcrowd program: https://imgur.com/a/KNIdeXh) even more critical issues then this one get paid the same amount out

tuesdaynight 5 days ago|||

What is the reason for the low values? I would understand if it was a small company, but we are talking about Discord here.

charlesabarnes 5 days ago||

Supply and demand. Selling via grey markets is an option, but many white hats don't go that route due to risk. There's plenty of people that will also find vulnerabilities without any money attached.

jijijijij 5 days ago|||

That's a limited view. The damage this could cause should be accounted for. People don't have to sell shit, they could fuck things up just for the fun of it. That's something to consider, especially with a bunch of teenagers. Now, these big corpos didn't take the chance to sponsor and encourage these kids early careers and make this fuck-up good PR, at least.

Aachen 4 days ago||

That's not how economics works. I can't do my job without a computer or glasses but that doesn't mean I can pay the suppliers of these things most of my salary each. Preventing a 100k€ problem says almost nothing about what the payout should be. As for them just causing chaos for fun, that nets them just about nothing (what's an evening of fun worth, like what are you willing to pay for a cinema ticket?). This is certainly more (hundreds of times more) and so covers that risk as well

jijijijij 4 days ago||

In an ideal world, these bugs, especially low-hanging fruits, shouldn't be discoverable by some random kids. These billion dollar companies should have their own security researchers constantly monitoring their stack. But those costs are cut, because the law de facto doesn't hold them liable for getting hacked. It's a very good deal for companies to pay bug bounties, but they mostly cheap out on that, too.

It's like a finders reward elsewhere in life. If you lost your wallet, your immaterial and material loss is quite high, but apart from cash the contents are of way less value for a finder/thief. These type of rewards are meant to manipulate emotions and motivation. Twitter paid these kids each between $1 and $20. That's insulting. As I said elsewhere, bug bounties are PR. And it's bad PR in this case. Black market pricing is the absolute low end for valuation (it's basically the cash value in the wallet example).

Aachen 4 days ago||

> these bugs, especially low-hanging fruits, shouldn't be discoverable by some random kids. These billion dollar companies should have their own security researchers [...]

I'm twice this kid's age and have been doing this hobby-turned-work as long as they have. I can tell you the work we do is no different. It doesn't matter if you're 16 or 64 or what your credentials are or salary is. We're all just hackers. Hacker ethos is judging by skill, not appearance. Welcome to hacker news :P

https://en.wikipedia.org/wiki/Hacker_ethic#The_hacker_ethics item #4

> Twitter paid these kids each between $1 and $20.

The submission doesn't say they've even contacted Xitter. I thought it was in the title just to drop names that we've heard of that used this dependency. Did you legit find somewhere that they got ≤20$ for an exploitable XSS on the x.com or twitter.com domains? That is definitely a strangely low amount but then I'm not surprised by anything where Elon is involved. It could also have been a silent fix without even replying to the reporter; I've had that often enough. But yeah from X I would expect a few hundred dollars at least and from old twitter (or another legit business) more than that (as Discord demonstrated)

jijijijij 3 days ago||

Get off your high horse. In this instance it's been a kid, and it does not concern some highly arcane flaw in a crypto library or chained kernel exploit, which may have passed even a pro. I already implied this bug should have been found by in-house security, so obviously it's within the domain of professionals and teenagers alike.

> The submission doesn't say they've even contacted Xitter.

This one doesn't. This one does: https://heartbreak.ing/. Or at least, I presume they meant Twitter when they wrote "one company valued 44 billion".

Aachen 2 days ago||

> Get off your high horse

What did I say that made you reply this way?

Aachen 4 days ago||||

Not sure what risk but for me it would be morals

I've rarely gotten bug bounty money and not even always a written thank-you but it doesn't cross my mind to somehow seek out a malicious actor that wants to make use of what I found. Leave the place better than you found it and all that

zahlman 4 days ago||||

> Selling via grey markets is an option, but many white hats don't go that route due to risk.

I would think that such a sale makes one inherently not "white hat".

tptacek 5 days ago|||

What "grey market" are you talking about? How specific can you be about it?

jfindper 5 days ago||

I know you love asking people this question, so sorry to spoil your fun, but you know just as well as I do that there isn't really a "grey market".

tptacek 5 days ago||

There absolutely is. I'm just not familiar with one that buys these vulnerabilities.

FloorEgg 5 days ago|||

Supply and demand I guess.

Pathetic for a senior SE but pretty awesome for a 16 year old up and coming hacker.

tuesdaynight 5 days ago|||

You are right, but that could (probably not) make them go for the bad route because they would get way more money that way. 4k for a bug that could take control of your customer account sounds disrespectful to me.

finghin 5 days ago|||

Yeah, my read is that the teenage hacker confronted with this ridiculous payslip sees two ways forward: accept the pay cut for the CV benefit of working with bug bounties, or get a bit better at hiding your ass and make them really pay.

james_marks 5 days ago||

If I were 16, I’d be thinking I just made an obscene amount of money ($4,000!) messing with computers for fun, and got to meet people at a famous company.

That’s a free car. Free computer. Uber eats for months.

And my status with my peers as a hacker would be cemented.

I get that bounty amounts are low vs SE salary, but that’s not at all how my 16yo self would see it.

finghin 5 days ago||

When I was sixteen I was already familiar with the concept of leverage. I’m not sure if I’d have had the cajones to use it though.

grenran 5 days ago|||

Playing devils advocate but 4k is probably more money than most kids that age have seen in their life

finghin 5 days ago||||

I hope I'm not assuming too much but I'm really hope the up and coming hacker is smart enough to know that his work was worth more than $4,000. That's 1-2% of an annual SE salary for someone with similar skillset.

MeetingsBrowser 5 days ago|||

> That's 1-2% of an annual SE salary for someone with similar skillset.

I agree $4,000 is way too low, but a $400k salary is really high, especially for security work.

degamad 3 days ago||||

> That's 1-2% of an annual SE salary for someone with similar skillset.

So commensurate for approximately 2 days of work, a little high for two hours of work, and a little low for 8 days of work.

ascorbic 5 days ago|||

And this will help them land that six figure job

bbarn 5 days ago||

I mean, as a hiring manager, a fresh grad with multiple bug bounties tells me a lot about their drive and skill, so I'd agree. It's a great differentiator.

yieldcrv 4 days ago|||

market value is the same regardless, so this was pathetic

some_guy_nobel 5 days ago||

What do you expect? a16z-funded and they love to talk about how much they've raised, thought-leader style co-founders, etc.