Masato Kinugawa, the security researcher who discovered the bug, first caught sight of it during another investigation.
“In spring 2021, I noticed an XSS bug in one of the domains owned by Google, and I reported it through the Google Bug Bounty Program,” Kinugawa told The Daily Swig. “When investigating the details, I noticed that the root cause was in the Ember.js framework.”
According to Kinugawa’s findings, if an application passes unsanitized user input to some of the property-setting functions of Ember.js objects, it can lead to prototype pollution.
The prototype pollution bug could potentially be chained with other vulnerabilities in the target application to carry out other malicious activities, including stealing credentials.
To abuse the flaw, an attacker would need a script gadget that accesses the vulnerable property setter. “In the case of Google's bug, I was able to use a Google reCAPTCHA gadget because the app used the reCAPTCHA script,” Kinugawa explained.
Feature or bug?
“While deep property chaining is an intended feature of these APIs, and passing untrusted input to them is ill-advised, we agree that this behavior is surprising enough to constitute an increased security risk,” Ember said in an advisory.
A new version of the framework explicitly prevents the previously vulnerable functions from making changes to the object prototype.
Prototype pollution bugs remain elusive as they are not well understood by developers. Kinugawa provided some hints on how software developers might find similar vulnerabilities in their programs and the libraries they use.