Bug discovered in third-party video marketing platform
“I started searching for anywhere that user-controlled data was being used, but since it’s just their marketing site it didn’t leave too many options,” Bowling told The Daily Swig.
“Things like the document location or message event listeners are normally good candidates.”
A crafty hacker could have exploited the bug to stage an XSS attack. “It allowed an attacker to specify the innerHTML for any DOM elements that were created via the Wistia script,” Bowling explained.
“The HackerOne marketing site doesn’t have any user data or cookies to steal, so the only impact there would have been something like a phishing attack,” Bowling said, adding that since the bug was in the Wista embed code, any site that used the feature would have been vulnerable as well.
“While the vulnerability was not exploited, it could’ve enabled an attacker to craft special URLs that could make it seem like content was injected on the site,” Jobert Abma, co-founder of HackerOne, told The Daily Swig.
“Due to the different content security policy for the CMS administrators, we do not believe that it could have been used to persist any content if such a payload would be sent to an authenticated HackerOne CMS administrator.”
Abma added: “Although the vulnerability wasn’t in code HackerOne maintained, it did impact our systems, which is why we decided to award a bounty for it.
“The vendor, Wistia, was great to work with throughout the process and they pushed a fix for the vulnerability soon after it had been disclosed to them.”
Bowling and his collaborator Ian Bouchard were each awarded a $250 bounty for the discovery.
“We’re not aware of future protections against similar vulnerabilities on Wistia’s side, and we have not received any prototype pollution bugs originating from our own code, but I’d challenge anyone to go and look for them,” Abma said.
“All software has bugs, and we’re safest when we know where we’re most vulnerable.”
“For there to be a prototype pollution bug there normally has to be a function that allows a user to set keys on an object at least two levels deep, something like parsing a query string or extending an object,” Bowling said.