Technique is exploitable at scale because it’s so overlooked, speculate researchers
A study, led by researchers ‘s1r1us’ and ‘BlackFan’, documented vulnerabilities found in Apple.com, Jira Service Management, HubSpot Analytics, Segment Analytics, and the websites of several undisclosed companies, netting them a collective $40,000 in bug bounties.
“Throughout our research period, we have reported this kind of vulnerability to a lot of renowned companies,” the research duo told The Daily Swig.
In total they reported around 80 bugs to vulnerability disclosure programs.
But this flexibility comes with a trade-off: if the programmers are not careful, malicious actors can use security holes in their application to inject malicious code into their objects’ prototypes.
Tools and techniques for finding prototype pollution
And they found ways to zero in on the line of code where the prototype pollution vulnerability kicked into action. For this, they used a combination of browser developer functionalities and search patterns.
Neglected research area
While the research duo believe the vulnerabilities were not necessarily the result of bad coding practices, they are worried that prototype pollution is being neglected.
“We hope our blog gives more light to this attack surface and helps people mitigate these issues at scale with the provided information.”
s1r1us and BlackFan enlisted the support of 13 other researchers with expertise in the field who helped in developing the right tools for the task. With prototype pollution defense still an underdeveloped space, this proved crucial.
“Having a group of skilled people can be helpful when conducting large-scale research,” they explained. “Every one of the researchers brought something new to the research. No wonder we are doing this research for over a year.
“Having people around you still poking at things without being demotivated can be very encouraging. Also, needless to say, you get to learn a ton.”