Medium has become the go-to home for extended blog posts from researchers, CEOs, and even the President of the United States. Now, one hacker has found a way to edit or delete any post on the publishing platform.
"I tried to think of different possibilities or testing cases on how can I delete a story of any user. And fortunately, I found a severe bug," Philippines-based freelance penetration test and bug bounty hunter Allan Jay Dumanhug told Motherboard in an email.
The trick, Dumanhug explained in a blog post published at the end of last month, centres around Medium's "Publications" feature. Users can create their own publications—perhaps a page dedicated to infosec news, for example—and then request to add other users' posts to it. Each post on Medium is given its own unique, 12-character identifier code.
The person who authored the post has to approve that request, otherwise their story doesn't go anywhere. But Dumanhug found that while adding his own story to his own publication, he could intercept the HTTP request and simply change the identifier to that of another post.
"*Poof*. The Target's story was added to my publication," Dumanhug writes.
From here, it's possible to edit or even delete the story entirely. Dumanhug didn't go on a trigger-happy, post-deleting rampage, though: He writes that he reported the issue to Medium, and received a $350 bounty.
This attack was still possible even though Medium uses HTTPS, a protocol for encrypting data in transit. If Dumanhug had snooped on encrypted traffic, he wouldn't have been able to see or tamper with its contents.
But a Medium spokesperson told Motherboard in an email that, "this was a software bug that this researcher uncovered by manipulating parameters and crafting a URL outside of the normal user flow," meaning that the traffic would not have been encrypted.
"We're really proud of Medium's security history: We fix bugs incredibly fast and the bounty program has helped our team to be even tighter. Further, we have a biannual security external audit, we can fix and deploy patches very quickly and we highly value the white-hat research community," the spokesperson wrote, and added that "the bug was reported and fixed within hours."