Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Bug Security News

Hacker Finds Bug to Edit or Delete Any Medium Post (vice.com) 39

Joseph Cox, reporting for Motherboard: Medium has become the go-to home for extended blog posts from researchers, CEOs, and even the President of the United States. Now, one hacker has found a way to edit or delete any post on the publishing platform. "I tried to think of different possibilities or testing cases on how can I delete a story of any user. And fortunately, I found a severe bug," Philippines-based freelance penetration test and bug bounty hunter Allan Jay Dumanhug told Motherboard in an email. The trick, Dumanhug explained in a blog post published at the end of last month, centres around Medium's "Publications" feature. Users can create their own publications -- perhaps a page dedicated to infosec news, for example -- and then request to add other users' posts to it. Each post on Medium is given its own unique, 12-character identifier code. The person who authored the post has to approve that request, otherwise their story doesn't go anywhere. But Dumanhug found that while adding his own story to his own publication, he could intercept the HTTP request and simply change the identifier to that of another post.
This discussion has been archived. No new comments can be posted.

Hacker Finds Bug to Edit or Delete Any Medium Post

Comments Filter:
  • by Anonymous Coward

    First clue was the puffery in the lede.

  • by JustNiz ( 692889 ) on Monday July 11, 2016 @10:29AM (#52489289)

    clearly the name Medium refers to their level of security.

  • by rebelwarlock ( 1319465 ) on Monday July 11, 2016 @10:29AM (#52489291)
    For a moment there, I thought he'd found a way to delete a post from any medium. That would have been a whole lot worse.
  • by Anonymous Coward

    Ta-da! Now people know that Medium exists.

    This sounds like story about the guy who rm -rf'd his whole webfarm.

  • So far I've been fairly pleased with reading things on Medium, although some of the weird sliding underlay pics I can do without. So when will the nice experience give way to a horrible one? When they force ads on those who run ad blockers? When they decide they aren't making enough money from the site as is? Micro transactions? So far it's been almost too good to be true.... which makes me deeply suspicious.
    • by Curunir_wolf ( 588405 ) on Monday July 11, 2016 @01:55PM (#52490807) Homepage Journal

      So far I've been fairly pleased with reading things on Medium, although some of the weird sliding underlay pics I can do without. So when will the nice experience give way to a horrible one? When they force ads on those who run ad blockers? When they decide they aren't making enough money from the site as is? Micro transactions? So far it's been almost too good to be true.... which makes me deeply suspicious.

      It's a different model. They make money using native advertising.

  • by jeffb (2.718) ( 1189693 ) on Monday July 11, 2016 @10:40AM (#52489393)

    If a white-hat hacker had found this exploit, he would've gone ahead and deleted all Medium posts. And there would have been much rejoicing.

  • by Anonymous Coward

    Any real mediums would see the deletion coming....

  • That's not a bug (Score:4, Informative)

    by holophrastic ( 221104 ) on Monday July 11, 2016 @11:07AM (#52489595)

    That's not a bug. It's just a total lack of authentication. No put in the effort, because no one cared. Congrats. This ain't a surprise.

    Perhaps a blogging platform needn't the same level of security as a bank or nuclear power centre.

    A lesson for young programmers: if you're going to divulge your UIDs (or make them easily guessable, like sequential), be sure to pair them with a random string before you accept them from an outside source -- like user input.

    • by cen1 ( 2915315 )
      Authentication is not the correct word, authorization is. In this case, they fail to check whether the client is actually the owner of the post. A fairly amateur mistake.
      • by Khyber ( 864651 )

        "In this case, they fail to check whether the client is actually the owner of the post."

        That would be authentication. Making sure someone is who they say they are is authentication, granting access after authentication is authorization.

    • Maybe it was outsourced. In which case, wth does anyone expect?
  • Next level! (Score:5, Funny)

    by Anonymous Coward on Monday July 11, 2016 @11:12AM (#52489629)

    "he could intercept the HTTP request and simply change the identifier to that of another post."

    Stand back guys, we got a pro here.

  • by Anonymous Coward

    Medium has become the go-to home for extended blog posts from researchers, CEOs, and even the President of the United States.

    That explains why I haven't found a single thing on that site worth reading. I guess it's not cold enough outside to enjoy that much hot air.

  • by sysrammer ( 446839 ) on Monday July 11, 2016 @12:46PM (#52490285) Homepage

    It's a rare Medium that's done well.

  • by bl968 ( 190792 ) on Monday July 11, 2016 @01:08PM (#52490449) Journal

    Rule 1. Never trust any user input.
    Rule 2. Using encrypted checksums and other input checking to verify the contents of system generated forms before accepting them is a good thing.

  • I expect the hacker was a disgruntled Slashdot reader who had to put up with one too many StartsWithABang posts. I'm awaiting news that Forbes is has been hacked next.

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...