December 2, 2013 · research websec bugbounty

I found Prezi’s source code

Edit: Prezi have decided to pay me for my findings, I have included a brief update at the end of this blog post.

Recently, I participated in the Prezi bug bounty with high hopes of finding some web application flaws. I had spent a total of 2 hours sifting and crawling through their services which were in scope, but wanted to see if I could locate any other subdomains, with the assistance of google.

Soon enough, I found "http://intra.prezi.com:8081", running Sonatype Nexus (A source code/repository management tool). Whilst it is now restricted, at the time I found it, it was open to the world, and all I required was a username and password to access precious Prezi source code.

Logically, I searched the very same Nexus repository URL in Google, and found something incredibly shocking, for such a big company like Prezi.

One of the developers of Prezi (Adam ), had left his private bitbucket repositories public.
ಠ_ಠ

In his public repo, I had found a config file, including the username and plain text password for the Nexus repo:

nexusRepositoriesUrl=http://intra.prezi.com:8081/nexus/content/repositories  
nexusUrl=http://intra.prezi.com:8081/nexus  
nexusUser=deployment  
nexusPassword=Iguangmd  
org.gradle.daemon=true  

I checked if the credentials were valid. They were. I sent them off to Prezi Site Security, within 10 minutes of myself logging in.

img1

Around an hour and a half later, I had received an email from Attila - the person managing the security issue I had just reported. He had confirmed that the credentials were changed, commented me positively on my finding and promised to get back to me by the following Monday to update me on the bugs impact.

img2

At this stage, I was happy that they had "approved" my discovery and had "fixed" the issue temporarily by changing the credentials.

However, came the following Monday, in which I received no response...

I waited till Thursday (31st of Oct), and then decided to follow up on the status of the issue's severity. I emailed:

My follow up on the issue

img3

I got a disappointing response:

img3

I replied with my address, as well as my justification for why their decision was wrong.

However, after my response to the above email, I received no response confirming their acknowledgement. Whilst waiting for their response, I realised that I would rather not accept their "swag", and decided to instead, send off an email indicating why I wished to walk away with nothing.

I don't think I'll be participating in the Prezi bug bounty anymore.

Anyways, they did try and get it right, by emailing me an apology as well as responding to my constructive criticism. This blog post, is by no means attempting to discourage people from participating from Prezi's bug bounty, but rather just a blog post about how finding Prezi's source code was not eligible for their bug bounty.

Please be aware of what you put up on github/bitbucket.

4/12/13: 4:19 AM GMT +10 - I have updated the post and the pdf, redacting the last names of the developers associated.

4/12/13: 11:35 AM GMT +10 - Prezi have emailed me apologising and have gracefully accepted to pay me for my findings.

6/12/13: 2:00 AM GMT +10 - There were a few parts of the blog post in which I claimed that I didn't break the ToC for Prezi Bug Bounty. Whilst this claim still exists in the PDF, it is untrue, as I did indeed break one of their ToC's disallowing the testing of out of scope services. Sorry about this, I have removed it from the blog post.  
Hello Shubham,

As we previously wrote we had long conversations about the issue you
reported, after your blog post and the reaction of the community we
continued these conversations and we got to the conclusion that it was
a mistake not to reward properly something which was helpful for us
and was disclosed to us responsibly.
I would like to apologise for it, we shared our mistake on
http://engineering.prezi.com/blog/2013/12/03/a-bug-in-the-bugbounty/index.html
(please let me know if it is OK to have your name in the post or we
should remove it) and will start to review our previous responses
based on the principle, that if we feel that the reported issue is
important for us to change code / credentials and the issue was shared
responsibly then we will properly reward it even if it was not within
the original scope.

So we would like to kindly ask you to send us some details which we
can use for the payment, since you are definitely eligible for the
bounty:
1. Beneficiary Name
2. Beneficiary Address
3. Beneficiary Phone Number
4. Bank Name
5. Bank City and State
6. Bank Country
7. IBAN
8. SWIFT Code

Thanks for helping us to improve our program and sorry once again!

Regards,

Misi

I have accepted their apology, and replied with the following:

Hello Mihaly Zagon,

Thanks for getting back to me. I was pleasantly surprised at the reaction to my blog post by the internet community, and I am glad that due to their response, you have continued to discuss my findings internally.
I whole wholeheartedly accept your apology and the blog post in which Prezi has delicately responded to positively. I feel that it's perfectly fine to list my name in the blog, as it is one which precisely sums up the entire situation.
The last point you raise in this email, about security implications somewhat larger than the scope of the bounty, and how Prezi should deal with them now and in the future, is spot on. Sometimes, some issues don't fit exactly into the scope, but they should be acknowledged for the potential damage which could have been caused.
My details are:<REDACTED>
I appreciate Prezi trying to make things right and gracefully, once again, accept your apology.

Thank you,
Shubham

I have included these new emails in the letter log initially posted.

Thanks for reading.

Comments powered by Disqus