Security flaw allowed attackers to snoop on payment info and gather private bug bounty program details

HackerOne co-founder unearths information leak bug in Rails package

Rails, the open source web framework, has patched a bug in its ActiveResource package that allowed an attacker to access data in unintended ways and that could possibly result in information leakage.

The vulnerability was first discovered by bug bounty platform HackerOne, whose website uses ActiveResource to process and serve data objects over the web.

HackerOne co-founder Jobert Abma filed the bug back in February, reporting an information leak in the site’s GraphQL interface, which plugs into the RESTful ActiveResource objects.

“Due to the lack of encoding the resource identifier, it is possible to inject additional parameters and point a find call to a [different] resource endpoint,” Abma said.

Parameter injection is a type of attack in which the attacker uses glitches in a function to pass in additional commands. To prevent this from happening, developers usually sanitize external input to remove any potentially harmful commands.

In the case of ActiveResource, the library did not sanitize the parameter that designates the identifier of the object it is supposed to return.

“Because ActiveResource does not have an opinion on identifiers, it won’t encode it (e.g. it doesn’t raise an exception when a string is passed instead of an integer),” Abma noted.

This means that an attacker can pass in custom queries and commands to the REST API. While the bug does not trick the library into returning unwanted information, it results in a change in its behavior and the timing of its response, which attackers can exploit to glean pertinent information.

Payment protection

HackerOne uses ActiveResource to access data in its payments library. According to Abma, the bug would allow an attacker to discover information such as the number of payments a HackerOne user has received, the type of tax form a user has signed, and the existence of a private bug bounty program.

“This security vulnerability was identified by HackerOne’s security team and is [therefore] not eligible for a bounty,” HackerOne said in response to Abma’s report.

“We don’t have any evidence of this being exploited,” a spokesperson for the bug bounty platform told The Daily Swig.

In April, HackerOne applied a monkey patch to ActiveResource, a temporary extension that prevents the bug from being exploited.

“Before going to Rails, we evaluated if the vulnerability was unique to our usage of the library or if there was a more general security concern. After our investigation, we found it could impact the core library and filed a report to Rails,” the HackerOne spokesperson said.

RECOMMENDED XSS vulnerability in ‘Login with Facebook’ button earns $20,000 bug bounty

A CVE was filed for the flaw in January. Rails issued an update earlier this week after Abma helped to develop a patch.

“HackerOne is full of budding hackers and we encourage employees to try out their hacking skills, so this is not the first time a HackerOne employee has discovered a vulnerability,” the bug bounty platform spokesperson said.

HackerOne has a publicly accessible employee participation policy whereby anyone who is working on a customer program – including triagers – is strictly prohibited from submitting bugs to it.

If an employee wants to hack on a customer program, they must have not been working with that organization for at least 90 days beforehand.

“Of course, our own bug bounty program provides a one-of-a-kind exception, so employees filing reports to our own program aren’t eligible for a bounty,” the HackerOne spokesperson said.

READ MORE Back on the Rails: XSS flaw patched in Action View Ruby Gem