HN

Need help?
<- Back
Securing a DoD contractor: Finding a multi-tenant authorization vulnerability

Securing a DoD contractor: Finding a multi-tenant authorization vulnerability

bearsyankees

Comments (61)

  • mcoliver
    I've seen this at so many startups (and worked to patch the gaps and put in best practices) including those backed by top tier VCs. The problem is that it is rare for startups to have security minded people.It's usually designers, people who can raise money, and generalists who can stitch together apis. It's not generally platform, db, or security minded people. The proliferation of things like vercel and supabase have exacerbated this.So you get people deploying API keys client side and dbs without rls. Or deploying service keys client side when they should be anon. I mean really basic stuff.
  • janice1999
    Finally the AI security startup hustlers will keep the other tech startup hustlers in line. Maybe the era of devastating leaks and total disregard for user privacy will come to an end (doubtful).
  • codegeek
    "There was no meaningful organization scoping, no tenant isolation, and no permission check preventing a low-privilege user from accessing other organizations' records."Let me guess though. They are SOC2 and ISO compliant right ?
  • stephbook
    Tenant scoping is important. Just ask Microsoft, didn't they have one right at bing.com? Oh, just every Bing user is vulnerable to have all Microsoft data (o365 emails for example) hacked. No biggie.https://www.wiz.io/blog/azure-active-directory-bing-misconfi...
  • neilv
    Two questions prompted by this disclosure:1. I didn't see mention of a bug bounty program giving limited authorization. How do independent researchers do this with legal safety? Especially when DoD is involved?2. If a researcher discovered a vulnerability at a DoD contractor, and the contractor didn't seem to be resolving the problem, is there a DoD contact point that would be effective and safe for the researcher to report it?
  • bryancoxwell
    > Their initial reply from the CEO: "I would love to hear what the vulnerability is, but I assume you want to get paid for it. Is that the play?"Well that’s pretty damning.
  • tptacek
    Initial take: as vulnerability stories go, this is a pretty boring one; what they have here is a target that was secured largely by the fact that few people knew about it. The most work done in this blog post is establishing that a training platform deployed by DoD might be much more sensitive than the same kinds of applications which are ubiquitous throughout corporate America and which are generally boring targets.The vulnerability itself appears to be something anyone with mitmproxy would have spotted within minutes of looking at the platform; apparently, rotating object IDs worked everywhere in the app, and there was no meaningful authz.It's interesting if AI systems can "spot" these, in the sense of autonomously exercising the application and "understanding" obvious failed authz check patterns. But it's a "hm, ok, sure" kind of interesting.
  • tardedmeme
    I wonder if this is how Handala group recently stole the list of service members.How do people find these vulnerabilities within the immense scope of the whole internet? Are they going around with some kind of generic API scanner that discovers APIs?
  • ryanisnan
    Yikes, Schemata and that delinquent CEO should be held accountable.
  • bearsyankees
  • icedchai
    Was the app vibe coded?
  • sailfast
    Would be fascinated to know if this went through competitive procurement or if it was one of those Hegseth “let’s be lethal and ship broken shit to the warfighter” procurements.
  • rectang
    a16z = "Andreessen Horowitz", for those not in the know. (The acronym is not expanded in the article. EDIT: OP has fixed the article.)
  • SkyGuard_Lead
    [flagged]
  • DougN7
    Would it be possible to stop using aXXb nomenclature within the titles? Some of us aren't hip enough to know what all of them mean.
  • testing_auth
    [dead]