Tech by VICE

Bug Lets Hacker Become Author on The White House's Medium Page

A freelance bug bounty hunter found another issue with Medium.

by Joseph Cox
Nov 16 2016, 3:00pm

The White House at night. Image: Orhan Cam/Shutterstock

Medium is used by a slew of nonprofits, independent journalists and even political organizations to post longer-than-tweet sized musings or announcements. But one hacker found a way to add himself as an author to any Medium publication, and demonstrated the security issue by barging in on the The White House's own channel.

The issue centered around Medium's add authors by email feature, in which editors can invite people to their publication even if the author doesn't have a Medium account.

While testing out the new feature, Philippines-based freelance penetration tester and bug bounty hunter Allan Jay Dumanhug intercepted the invite's HTTP request with a popular platform for testing the security of web applications called Burp Suite, he told Motherboard in an email.

When an editor invites an author, the HTTP request includes a 12 character code, unique to the publication.

But all Dumanhug had to do was substitute the code in that request with one belonging to any other publication he wanted.

"So, without hesitation I searched for The White House's Medium Publication and grabbed its Collection ID," Dumanhug writes in his own Medium post. In this case, the code was 51210352003f.

The bug in action. Image: Allan Jay Dumanhug

Dumanhug submitted the HTTP request with The White House's ID, and he quickly received an invite to its Medium publication.

Kate Mason, a spokesperson from Medium, told Motherboard in an email that "the bug didn't ever allow anyone to write on Medium in anyone's publication: it just made them a member of that publication." A hacker could have submitted a draft to the publication, but couldn't have published it, she continued.

Dumanhug says Medium awarded him a $250 bug bounty for this trouble.

This is remarkably similar to another security issue that Dumanhug discovered. In June, he found a way to add anyone's Medium post to his own publication, meaning that he could then edit or delete it, with pretty much the same technique.

Update: This piece has been updated with Medium's comment to clarify that it would not be possible for an author to publish their own article on the target platform: they could only submit a draft. The word "writer" has also been substituted throughout the piece with "author" to more accurately reflect this.