Security researcher Nathan Malcolm did a bit of digging and found a way to hack the image-hosting site Imgur.
Thankfully, he was working within Imgur’s official bug bounty program, so his work resulted in responsible disclosure and a payday rather than a hack or breach.
Malcolm detailed his travails on his blog, where he outlines how he maneouvred his way through Imgur’s development servers until he ended up on the company’s customer-facing production servers.
In a well-controlled network, development servers, where programmers build and test as-yet-unfinished versions of their software, should be kept carefully apart from the production systems that provide services to real-life customers.
But by accident or design (perhaps to make life easier for the developers using them, or the sysadmins running them), development environments often share resources with production systems, and can be accessed from the internet, even though they’re usually less secure than production environments.
That makes them a delicious target for hackers: just ask Patreon or Vine.
How he did it
In the case of Imgur, Malcolm did a bit of detective work on the site’s source code and found a reference to development servers that were accessible online. Once he browsed to the development server, he was able to do all the digging he wanted.
What did I find? It was essentially Imgur as you know it with a couple of users and a few test posts. […] I could see stacktraces which included parts of Imgur’s source code, PHP warnings and notices, details about the environment, database queries, and full paths to configuration files.
Further investigation revealed an Elasticsearch server harbouring a known remote code execution (RCE) vulnerability.
Malcolm used the flaw to look for files on the server and came across one that contained credentials for Imgur’s MySQL servers and Amazon AWS access keys for both the development and production servers. From there he was able to log in to Imgur’s production database.
With that access, he could have caused massive damage to Imgur by bringing the entire site down; thankfully, he reported it to Imgure so it could be fixed right away.
Malcolm’s research shows the often-meandering path an attacker will take to compromise a company’s data or systems. It’s not a matter of just doing one thing; rather, it’s a series of hops and jumps from one system to another to get to the end goal.
Each step gives the hacker just enough leverage to keep looking. In this case, an innocent-enough reference to a development server led Malcolm down a path that gave him the keys to the kingdom, so to speak.
Upon Malcolm’s disclosure Imgur quickly shut down access to the server while they worked to figure out how to secure it. The company’s full response:
A security group configuration error allowed Imgur development environments to face the public internet. Typically these environments were protected behind a special endpoint which would open access to authenticated Imgur employees for a short time window. Since the development environments were configured in such a manner to make development easier, some keys and environment variables were exposed. While most of these pieces of sensitive information were limited to the development environments, some production information was also exposed. Since this report was published, security around development environments has been completely re-worked and they now reside behind a VPN.
What to do?
- Never put resources online and rely on them staying unnoticed because they are “unadvertised”. Assume that someone will find them.
- Always enable authentication to access your services, even internally. Assume that someone will find them.
- Respond quickly if someone reports servers that shouldn’t be there. Assume that someone else will find them.
- Divide up your network to make it harder for attackers to find test or development servers.. You can listen to this Chet Chat podcast for more detail on why that’s so important (starts at 0’50”).
(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)