Bug discovered in third-party video marketing platform
A JavaScript library used by HackerOne contained a prototype pollution vulnerability that could have allowed hackers to stage phishing attacks on unsuspecting users.
Prototype pollution is a dangerous vulnerability found in prototype-based programming languages such as JavaScript, which allows attackers to manipulate the behavior of an application by modifying its code at runtime.
Prototype pollution vulnerabilities are usually exploited through malicious user input and can lead to a host of attacks, including denial of service or even remote code execution (RCE).
First reported on the HackerOne bug bounty platform by security researcher William Bowling, the new prototype pollution vulnerability was found in one of the JavaScript files used to host content from Wistia, a video hosting and marketing platform.
RELATED Prototype pollution: The dangerous and underrated vulnerability impacting JavaScript applications
The file in question parsed the webpage URL without sanitizing it, which could allow a hacker to inject malicious HTML and JavaScript code in the query string. Bowling’s findings show the bug could be exploited to run phishing attacks against HackerOne users.
He found the bug while looking for cross-site scripting (XSS) vulnerabilities on the HackerOne.com domain. The company’s main bug bounty platform is separately managed.
“I started searching for anywhere that user-controlled data was being used, but since it’s just their marketing site it didn’t leave too many options,” Bowling told The Daily Swig.
“Things like the document location or message event listeners are normally good candidates.”
Read more of the latest bug bounty news
While perusing the site’s source with the Chrome DevTools, Bowling came across the Wistia JavaScript code that was extracting the host and query parameters, among other findings. Since query parameters are provided by the user, an attacker could use it to embed custom JavaScript and HTML code.
A crafty hacker could have exploited the bug to stage an XSS attack. “It allowed an attacker to specify the innerHTML for any DOM elements that were created via the Wistia script,” Bowling explained.
“The HackerOne marketing site doesn’t have any user data or cookies to steal, so the only impact there would have been something like a phishing attack,” Bowling said, adding that since the bug was in the Wista embed code, any site that used the feature would have been vulnerable as well.
Third-party bounty
“While the vulnerability was not exploited, it could’ve enabled an attacker to craft special URLs that could make it seem like content was injected on the site,” Jobert Abma, co-founder of HackerOne, told The Daily Swig.
“Due to the different content security policy for the CMS administrators, we do not believe that it could have been used to persist any content if such a payload would be sent to an authenticated HackerOne CMS administrator.”
Abma added: “Although the vulnerability wasn’t in code HackerOne maintained, it did impact our systems, which is why we decided to award a bounty for it.
“The vendor, Wistia, was great to work with throughout the process and they pushed a fix for the vulnerability soon after it had been disclosed to them.”
Bowling and his collaborator Ian Bouchard were each awarded a $250 bounty for the discovery.
“We’re not aware of future protections against similar vulnerabilities on Wistia’s side, and we have not received any prototype pollution bugs originating from our own code, but I’d challenge anyone to go and look for them,” Abma said.
“All software has bugs, and we’re safest when we know where we’re most vulnerable.”
Prototype pollution bugs are mostly limited to special uses of JavaScript, but they are dangerous, underrated, and often overlooked.
“For there to be a prototype pollution bug there normally has to be a function that allows a user to set keys on an object at least two levels deep, something like parsing a query string or extending an object,” Bowling said.
“Since this doesn’t happen too often with user-controlled data, I think it’s quite easy to forget about the fact that JavaScript allows you to overwrite or modify the prototype unless there is code to prevent it.”
READ MORE Node.js applications open to prototype pollution attacks via popular encryption library