Speaking to Motherboard in an email, Philippines-based freelance penetration test and bug bounty hunter Allan Jay Dumanhug said, “I tried to think of different possibilities or testing cases on how can I delete a story of any user. And fortunately, I found a severe bug.” In a blog post published at the end of last month, Dumanhug explained the trick that centres around Medium’s “Publications” feature. Users can make their own publications such as a page devoted to infosec news, for example and then request to add other users’ posts to it. Each post on Medium is given its own unique, 12-character identifier code. For the story to go somewhere, the person who authored the post has to approve that request. However, Dumanhug discovered that while adding his own story to his own publication, he could interrupt the HTTP request and just change the identifier to that of another post. “Poof. The Target’s story was added to my publication,” Dumanhug writes. It is possible from here to edit or even delete the story completely. However, Dumanhug didn’t go on a trigger-happy, post-deleting rampage, though: He writes that he brought the issue to the attention of Medium, and received a $350 bounty. Although Medium uses HTTPS, a protocol for encrypting data in transit, this attack would still have been possible. However, Dumanhug wouldn’t have been able to see or tinker with its contents, had he not spied on the encrypted traffic. But a Medium spokesperson told Motherboard in an email that, “this was a software bug that this researcher uncovered by manipulating parameters and crafting a URL outside of the normal user flow,” which means that the traffic would not have been encoded. “We’re really proud of Medium’s security history: We fix bugs incredibly fast and the bounty program has helped our team to be even tighter. Further, we have a biannual security external audit, we can fix and deploy patches very quickly and we highly value the white-hat research community,” the spokesperson wrote, and added that “the bug was reported and fixed within hours.” Source: Motherboard
