Fastened Cross-Website Scripting vulnerability on hosted media domains

We just lately fastened a safety vulnerability whereby an attacker may add executable content material to our media storage domains.

On thirteenth November 2022, a safety researcher notified us of a cross-site scripting (XSS) vulnerability affecting our media storage domains. This XSS vulnerability made it doable for attackers to add content material to our storage domains that might then be shared as hyperlinks to be used in ‘phishing’ or different assaults.

We fastened the vulnerability on the morning of the fifteenth November 2022 by blocking script entry to the API from the impacted domains making certain any malicious code failed to realize entry to authenticated personal information. This remedial motion was adopted by a one other repair on the sixteenth November that deployed block guidelines on our Content material Distribution Community (CDN) supplier to stop malicious useful resource hyperlinks being served to customers. As well as, on the eighth of December we deployed a change to the API to solely enable non-malicious recordsdata to be uploaded to those storage domains.

The mitigation and repair steps described above allowed us time to analysis the issue and audit our storage methods for any stay exploits. After this audit we decided that this vulnerability had not been exploited for any malicious goal; no information was leaked and no customers had been uncovered to injected code.

We’d prefer to thank Michal Biesiada (https://github.com/mbiesiad) for bringing this concern to our consideration and for following accountable disclosure by reporting it to us in personal, as requested on our safety web page.