Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

How a Security Researcher Convinced Imgur's CEO to Increase Bug Bounty Rewards

$
0
0

Nathan Malcolm, an independent security researcher, published over the weekend his personal experience in dealing with Imgur's security team and how he managed to convince the company's CEO to increase the program's payout fees after gaining access to the site's production database.

Malcolm had contributed to Imgur's security long before the bug bounty program was set up last fall, after Imgur had been abused to launch DDoS attacks on other services.

Malcolm was a longtime contributor to Imgur's security

He began submitting bug reports to the service before that, during the summer of 2015, when he emailed a suite of XSS, clickjacking, and CSRF issues to the site's security team.

It's during these initial reports that he established a relationship with the site's CEO, who emailed to personally thank him for his dedication to helping improve the site.

At first, because the site didn't run a bug bounty program, Malcolm only received swag points on his profile.

Researcher initially got swag points and $50

As the Imgur-DDoS-8chan debacle took place, the company did eventually create a bug bounty program, to which Malcolm submitted his previous bug bounty programs.

He was surprised to see that, for over 20 bugs, he received a reward of $50, albeit he did say this reward was low because he previously received swag points.

Malcolm wasn't disheartened by this payout but set out to find new bugs to impress the Imgur security team.

Researcher finds Imgur's test environment

During this subsequent bug hunt, the researcher found a development server that was carelessly left open to outside connections. Here he discovered a smaller version of Imgur, but with debug features turned on, like the Kohana php profiler.

Here he also found that the dev server was running an old and insecure ElasticSearch server that was susceptible to the CVE-2014 3120 vulnerability.

This allowed him to grab files from the underlying server, which Malcolm did, taking the /etc/passwd file containing server passwords and keys.php containing API keys for various servers such as Fastly, MailChimp, reCAPTCHA, AWS server, and various API keys for Imgur's mobile apps.

Malcolm had complete control over the site's database

Since Malcolm wanted to show the Imgur team the extent of the damage a hacker could do and that they should value security researchers a little bit more, he took the mysql password and logged in just once on the company's production database, which nobody was supposed to know where was located (at least in theory).

He updated his bug report with the new findings, and the company's engineers decided to ante up his bug bounty reward from $50 to $500. Malcolm even received an email from Imgur's CEO once again, detailing the security fixes.

A security group configuration error allowed Imgur development environments to face the public internet. Typically these environments were protected behind a special endpoint which would open access to authenticated Imgur employees for a short time window. Since the development environments were configured in such a manner to make development easier, some keys and environment variables were exposed. While most of these pieces of sensitive information were limited to the development environments, some production information was also exposed. Since this report was published, security around development environments has been completely re-worked and they now reside behind a VPN.

Malcolm wrote the CEO another email, explaining the various reasons he needed to offer better payouts, not just to him, but to security researchers in general. A part of his email read:

Bug bounties are like hiring mercenaries. Cheaper than a standing army of pentesters. But don't complain when they swap sides for more gold.

His email didn't land on deaf ears, and by January 2016, Imgur's CEO had taken the steps to improve the company's bug bounty payouts, even updating Malcolm's reward from $500 to $5,000, a more suited reward for a researcher who practically "pwned Imgur."

Two months later, security researchers were starting to reveal other bugs in Imgur, this time with better payouts .


Viewing all articles
Browse latest Browse all 12749

Trending Articles