The Russian penetration tester Vladimir Ivanov from the security firm Positive Technologies has discovered a vulnerability in anti-ransomware backup service Code42. The flaw could be exploited by attackers to steal data from the organizations using the services, including Uber, Adobe, and Lockheed Martin.
Ivanov discovered the XML external entity vulnerability while it was searching for flaws in the Uber service that was covered by the bug bounty program of the company.
Ivanov reported the flaw to Uber that agreed to pay him US$9,000 considering that Code42 doesn’t have a bug bounty program.
“The only option to break the service and get a bounty for pwning the [Code42] application was to find a zero day,” Ivanov says.
“[The vulnerability] could give access to backups of all users in a given company. Uber security guys were excited with this vulnerability: they contacted vendor and confirmed that this vulnerability was a zero day.”
An XML External Entity issue occurs everytime an XML input containing a reference to an external entity is processed by a not properly configured XML parser, as a result, it can cause the disclosure of confidential data, denial of service conditions and trigger server-side request forgery attacks.
Ivanov reported the issue to Uber in May through its HackerOne bug bounty, then the company informed Code42 of the flaw that promptly fixed it.
“As a proof-of-concept for Uber, I retrieved the contents of /home/ directory of the server, which was a nice impact illustration to my report at Hackerone,” wrote Ivanov.
“I like to show impact of a given vulnerability, so you don’t have to ask me twice. Given permission to show further exploitation, I quickly found the folder, where backup logs were stored. ”
Code42 asked Ivanov to wait all customers had applied the security updates to fix the flaw before publicly disclose it.
(Security Affairs – Uber, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.