Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Finds Bug to Edit or Delete Any Medium Post (vice.com)

Posted by msmash on from the security-woes dept.

Joseph Cox, reporting for Motherboard: Medium has become the go-to home for extended blog posts from researchers, CEOs, and even the President of the United States. Now, one hacker has found a way to edit or delete any post on the publishing platform. "I tried to think of different possibilities or testing cases on how can I delete a story of any user. And fortunately, I found a severe bug," Philippines-based freelance penetration test and bug bounty hunter Allan Jay Dumanhug told Motherboard in an email. The trick, Dumanhug explained in a blog post published at the end of last month, centres around Medium's "Publications" feature. Users can create their own publications -- perhaps a page dedicated to infosec news, for example -- and then request to add other users' posts to it. Each post on Medium is given its own unique, 12-character identifier code. The person who authored the post has to approve that request, otherwise their story doesn't go anywhere. But Dumanhug found that while adding his own story to his own publication, he could intercept the HTTP request and simply change the identifier to that of another post.

39 comments

  1. And nothing of value was lost by Anonymous Coward · · Score: 2, Insightful

    First clue was the puffery in the lede.

  2. Where they got their name from by JustNiz · · Score: 4, Funny

    clearly the name Medium refers to their level of security.

    1. Re:Where they got their name from by Anonymous Coward · · Score: 0

      medium level security? Please.

      Trusting the browser not to mess with the data and calling that "medium security" is an insult to every medium.

      On to of that: I read "http request" and had to puke. Please let that be a typo and ment to be https.

  3. That was almost scary by rebelwarlock · · Score: 2

    For a moment there, I thought he'd found a way to delete a post from any medium. That would have been a whole lot worse.

    1. Re:That was almost scary by Anonymous Coward · · Score: 0

      Yeah, well don't finish being scared just yet. This is a guy with formidable hacking ability, who, considering his nation of residence, may very well be capable of hacking you to death, or at the least, beating the piss out of you with an eskrima stick.

    2. Re: That was almost scary by Anonymous Coward · · Score: -1

      fuck u mute me shitdick

  4. Astroturf much? by Anonymous Coward · · Score: 1

    Ta-da! Now people know that Medium exists.

    This sounds like story about the guy who rm -rf'd his whole webfarm.

    1. Re:Astroturf much? by slashdice · · Score: 4, Insightful

      According to netcraft, more people are aware medium exists than are aware slashdot [still] exists.

      --
      Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
    2. Re:Astroturf much? by K.+S.+Kyosuke · · Score: 2

      Good! Let's hope it will stay that way.

      --
      Ezekiel 23:20
  5. When will Medium go to hell? by Jonah+Hex · · Score: 1

    So far I've been fairly pleased with reading things on Medium, although some of the weird sliding underlay pics I can do without. So when will the nice experience give way to a horrible one? When they force ads on those who run ad blockers? When they decide they aren't making enough money from the site as is? Micro transactions? So far it's been almost too good to be true.... which makes me deeply suspicious.

    --
    Horror & SciFi Erotic Nudes
    1. Re:When will Medium go to hell? by Curunir_wolf · · Score: 3, Informative

      So far I've been fairly pleased with reading things on Medium, although some of the weird sliding underlay pics I can do without. So when will the nice experience give way to a horrible one? When they force ads on those who run ad blockers? When they decide they aren't making enough money from the site as is? Micro transactions? So far it's been almost too good to be true.... which makes me deeply suspicious.

      It's a different model. They make money using native advertising.

      --
      "Somebody has to do something. It's just incredibly pathetic it has to be us."
      --- Jerry Garcia
  6. haxxy haxx0r be haxx1n!11! by Anonymous Coward · · Score: 0

    news at eleven

  7. girlshub by Anonymous Coward · · Score: -1

    It's interesting how ESPM bought PornHub with their pyramid scheem, and make porn videos with montage using children wering the same clothes of the actresses. Many videos are montages with adults, but the closeups are often children. I know that because I knowpussy, and not the same pussy when the view changes.

  8. See, this is why we hate black-hat hackers. by jeffb+(2.718) · · Score: 5, Funny

    If a white-hat hacker had found this exploit, he would've gone ahead and deleted all Medium posts. And there would have been much rejoicing.

  9. can he also delete long and short posts? by Anonymous Coward · · Score: 0

    captcha: scrotum. wtf?

  10. Story reaks of gayness and butthole seepage by Anonymous Coward · · Score: -1

    and even the President of the United States

    How does he get a "even"? He is a paid employee of the people of America. He listens to what spies and Jew lobbyists tell him to do because he is afraid hey will kill he scrawny black ass. He is guilty of treason. He destroyed American healthcare with the "Affordable Care Act" AKA Obamacare. He lets jobless destitute immigrants flood the borders to drink at the trough of taxpayer's social services, meanwhile the country is living on a dead fiat currency. He is just a fucking lawyer being told what to do by spies with pistols and suppressors. People voted for him, but only the ones stupid enough to think their vote would count. It is an electoral college system. Can you even find the electoral college representatives list online RIGHT NOW for this election? No, you can not.

    All of this shit is spread to people young and old over Jewish media. They are friends of a country living under a rocket-force-field who lie. This is why they live under the Iron Dome. Nobody likes a liar. So it should have said...

    and even the lying treasonous cocksucker the President of the United States

    1. Re:Story reaks of gayness and butthole seepage by Anonymous Coward · · Score: -1

      That post is correct. Somebody either gay, Jew, or a jobless immigrant had mod points. Of those only the jobless immigrant has a chance to not go to Hell.

      There are gay lawyers. There are Jew lawyers. There are no jobless immigrant lawyers.

      That settles it, lawyers... psst.. Obama.. Hell.

  11. Not very psychic by Anonymous Coward · · Score: 2, Funny

    Any real mediums would see the deletion coming....

  12. That's not a bug by holophrastic · · Score: 3, Informative

    That's not a bug. It's just a total lack of authentication. No put in the effort, because no one cared. Congrats. This ain't a surprise.

    Perhaps a blogging platform needn't the same level of security as a bank or nuclear power centre.

    A lesson for young programmers: if you're going to divulge your UIDs (or make them easily guessable, like sequential), be sure to pair them with a random string before you accept them from an outside source -- like user input.

    1. Re:That's not a bug by cen1 · · Score: 2

      Authentication is not the correct word, authorization is. In this case, they fail to check whether the client is actually the owner of the post. A fairly amateur mistake.

    2. Re:That's not a bug by Kreplock · · Score: 1

      Maybe it was outsourced. In which case, wth does anyone expect?

    3. Re:That's not a bug by Khyber · · Score: 1

      "In this case, they fail to check whether the client is actually the owner of the post."

      That would be authentication. Making sure someone is who they say they are is authentication, granting access after authentication is authorization.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    4. Re:That's not a bug by Anonymous Coward · · Score: 0

      So, that would be authorization then? The user was already authenticated as being who they are, but was incorrectly granted access (authorized) to perform actions on other people's data.

    5. Re:That's not a bug by Anonymous Coward · · Score: 0

      No, that would be authorization. The important words here are "owner of the post".

    6. Re:That's not a bug by Anonymous Coward · · Score: 0

      As the other two people have noticed already, you got it backward. Can't say I'm surprised because you consistently fail to understand even the most rudimentary of ideas. You are dumb to a level that I've only seen in trailer parks and so self confident in your stupidity that you should run for Congress... you'd fit right in you idiot.

  13. Next level! by Anonymous Coward · · Score: 5, Funny

    "he could intercept the HTTP request and simply change the identifier to that of another post."

    Stand back guys, we got a pro here.

    1. Re:Next level! by Anonymous Coward · · Score: 0

      Well he is better than you.

      The last hack you attempted was opening a pack of crisps..... and you failed after 5 attempts.

    2. Re:Next level! by Anonymous Coward · · Score: 0

      Speak for yourself.

    3. Re:Next level! by Anonymous Coward · · Score: -1

      What if I told you I gained root access to your mom's vajayjay with my 22" shlong, is that something you might be interested in?

    4. Re:Next level! by Anonymous Coward · · Score: 0

      I was waiting for the disclaimer "Remember folks this is a professional; don't try this at home"

      a

  14. That explains it by Anonymous Coward · · Score: 1

    Medium has become the go-to home for extended blog posts from researchers, CEOs, and even the President of the United States.

    That explains why I haven't found a single thing on that site worth reading. I guess it's not cold enough outside to enjoy that much hot air.

  15. Well this is a great opportunity by Anonymous Coward · · Score: 0

    to delete all posts on medium, right?

    I mean basically half the articles are shills for products, and the other half tend to be half-baked opinion pieces by smug, "I've been programming for less than a year, but I'm an expert" pieces.

  16. Medium sucks by Anonymous Coward · · Score: 0

    It's the new Tripod or Geocities... which ironically could be exploited by a similar method

    1. Re:Medium sucks by sumdumass · · Score: 1

      A lot of porn sites could be gamed this way to. You get the preview and alter the URL and next thing you know your in the directory for all of that model's pics. From there it was just a matter of paying attention and recognizing some patterns and you could easily get into others.

      Now granted this may appear different because you could perform "actions" but it is the same or similar because you were using the preview authentication to browse the entire paywalled contents. They wised up and eventually put an end to it though. But there is plenty of quality porn available without resorting to that now.

  17. Had to be said... by sysrammer · · Score: 4, Funny

    It's a rare Medium that's done well.

    --
    His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
  18. Rules for Web Developers by bl968 · · Score: 2

    Rule 1. Never trust any user input.
    Rule 2. Using encrypted checksums and other input checking to verify the contents of system generated forms before accepting them is a good thing.

    --
    "GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
  19. StartsWithABang? by thegarbz · · Score: 1

    I expect the hacker was a disgruntled Slashdot reader who had to put up with one too many StartsWithABang posts. I'm awaiting news that Forbes is has been hacked next.

  20. high tech by Anonymous Coward · · Score: 1

    I hear they are high tech. They even have Unicode support.

  21. Sorry by Anonymous Coward · · Score: 0

    I replied to the wrong comment.