Throne fixes security bug that exposed private home addresses of creators

Photo of author

By Webdesk


A recently resolved security bug on a popular creator support platform shows how even privacy-focused platforms can put creators’ private data at risk.

Founded in 2021, Throne bills itself as “a completely secure concierge wishlist service that acts as a go-between between your fans and you.” Throne claims to support over 200,000 creators by sending thousands of their wishlist items per day, while protecting the privacy of the creators’ home addresses.

The idea is that online creators, such as streamers and gamers, can publish a wish list of gifts for supporters to buy, and Throne acts as an intermediary. “Your fans pay for the gifts and we take care of the rest,” the website reads. “We make sure that the payment is processed, that the item is shipped and most importantly that your private information remains private.”

But a group of good-faith hackers found a vulnerability that subverted that claim and exposed the private home addresses of the creator’s users.

Enter Zerforschung, the German collective of security researchers behind the latest discovery. You may remember the collective from December when they discovered and revealed major security bugs in Hive, a social media alternative, which was popularized by Twitter’s exodus under Elon Musk’s new owner. Hive briefly shut itself down to fix the vulnerabilities found by Zerforschung, which allowed anyone to modify someone else’s messages and access other people’s private messages.

Zerforschung told TechCrunch that they discovered the vulnerability in how the company sets up its database, hosted on Google’s Firebase, to store data. The researchers said the database was inadvertently configured to allow anyone on the Internet to access the data in it, including session cookies for its Amazon accounts from the database, which could be used to break into an account without needing the password.

Session cookies are small pieces of code that are placed on your computer or device to help keep users logged in to apps and websites without having to repeatedly enter a password or log in with two-factor authentication. Because session cookies keep the user logged in, they can be an attractive target for hackers as they can be used to log in as if they were that user. This can also make it more difficult to detect when someone other than the user is misusing a session cookie.

With those Amazon session cookies, the security researchers found they could access Throne’s Amazon account, which is used to order and ship gifts from a creator’s wishlist, without ever needing a password. The researchers said anyone with the same session cookies, essentially the keys to Throne’s Amazon account, can log in and view thousands of orders and the names and addresses of their creators.

Zerforschung demonstrated the bug in a video call with TechCrunch last week, allowing us to verify their findings. The researchers showed us the thousands of orders placed through Throne’s Amazon account over the past few months, which revealed the names and addresses of creators Throne claimed to protect.

The collective of researchers reported the bug to Throne later the same day. Throne fixed the bug shortly afterward and confirmed the vulnerability in a blog post published this week, thanking Zerforschung for their findings.

“A version of Throne shipped at the end of March that misconfigured Firestore rules. This enabled the security researchers to read some data that should not have been available, such as the blocked IP addresses we track to prevent fraud and session cookies for a small subset of our merchant accounts,” said Throne.

But questions remain for the company. Throne says it used network logs to determine that “there was no risk and no unknown party had accessed data”. Zerforschung disputes this claim, as Throne did not ask the collective for their IP addresses that the company could use to investigate the incident while excluding the investigators’ activity.

Logs are important because they keep track of internal events, such as who logs in where and when. The logic is that if security researchers like Zerforschung found the bug, malicious actors may have discovered it as well. It’s not clear if anyone else accessed or exfiltrated Throne data, or if Throne has the technical ability to determine what, if any, data was viewed.

Throne also claimed in its blog post that an unnamed German data privacy expert “confirmed there was no data risk,” which makes no sense since Zerforschung proved otherwise.

When reached for comment, Throne co-founder Patrice Becker repeated much of Throne’s blog post in standard comments, but declined to answer our specific questions or provide the name of the purported data privacy expert from his blog post.

Becker did not dispute Zerforschung’s findings or the disclosure of the makers’ home addresses when asked about this.



Source link

Leave a Comment

Share via
Copy link