undefined | Better HN

0 pointsnomilk1y ago0 comments

> "pretty irresponsible"

Wouldn't it be more like "pretty illegal"? They could have simply used body: JSON.stringify("worked"), i.e. not sent target machines’ actual environment variables, including keys.

0 comments

reubenmorais1y ago

It's an unfortunate incentive structure. If you're doing offensive security research, there's two ways you can go about it: you can report the potential vulnerability without exploiting it, in which case you risk the company coming back to you and saying "thanks but we don't consider this a vulnerability because it's only exploited through misconfiguration and we're too smart for that". Maybe you get some token reward of $50.

Or you can exploit it and say here's the PoC, this many people at your company fell for it, and this is some of the valuable data I got, including some tokens you'll have to rotate. This puts you into actual bug bounty territory. Certainly the PR side of things alone will incentivize them to pay you so you don't make too much of a noise about how Cursor leaked a bunch of credentials due to a misconfiguration that surely every good programmer knows about and defends against (like so many vulnerabilities seem so dumb in hindsight).

xmodem1y ago

Cursor does not have a bug bounty though, and its hard to see how this constitutes anything other than a direct attack on them, their users, or both. "The incentive structure made me do it" does not justify acting like a criminal.

grajaganDev1y ago

Cursor asks researchers to report vulnerabilities to their GitHub security page.

The same incentive to show impact applies even without a paid bounty.

px431y ago

> Cursor does not have a bug bounty

Shouldn't this alone be considered criminal negligence at this point? Cursor isn't some random open source project. It's a company that has funding, and subscriptions. Hell, I pay Cursor for a monthly subscription. Pretty incredible that they have no bounty program.

1 more reply

miki1232111y ago

You can also console.log those credentials as a PoC, and then show that the console.log could trivially be replaced by a fetch().

Kind of like a lot of exploit PoCs just "pop a calc" (AKA open the Calculator app), not because opening the calculator is valuable to an attacker, but because if you can open calculator, you can do anything.

objectified1y ago

The problem there though, is that with PoCs like this, as an attacker you want to have a ping back to your system so that you know the attack has been successful (in this case they probably expected/hoped someone at Cursor to install the package, that's the usual objective in a dependency confusion attack). But what they could have done, is send a less sensitive thing like just the current working directory or current effective user, instead of the whole environment.

1 more reply

mistercow1y ago

I wonder how viable it would be to find a public key your target owns and use it to encrypt the data you send back. Then you could prove to them that you exfiltrated real data without exposing it to anyone outside the company.

Alternatively, you could hash it and say “Look, it’s a sha of your database password hyphen “yougotpwnd””

necovek1y ago

HTTPS certificates should already have that public key for you, so it should be trivial.

Szpadel1y ago

wouldn't capturing only env names without values be ideal middle ground?

look we had access to your Aws tokens, we could take over your account but we didn't steal actual token, we just got proof that we could access it

reubenmorais1y ago

Yes I agree names only would have been a better approach here.

6mile1y ago

Yeah, I agree the incentive structure is broken for bug bounty hunters. Until the BB platforms themselves create some rules for their customers and researchers, we are gonna continue to have the sh*t show that we do now. The reality is that bug bounty hunters are deploying a significant percentage of the total malicious NPM packages each month.

mcherm1y ago

> The reality is that bug bounty hunters are deploying a significant percentage of the total malicious NPM packages each month.

I don't actually think that is a bad thing.

The TSA screening at airports would be vastly better if TSA maintained a "red team" that regularly tried smuggling guns (or water bottles or whatever) into airports. The agents would be more attentive if the number of incidents they dealt with was large enough that they could practice more often. The system could improve if it had actual feedback on how accurate and effective it was. And instead of agents overreacting or underreacting they could tune their responses to an appropriate level.

The same applies to supply chain attacks. The REAL ones are rare, dangerous, and performed by experts; having a chance to practice catching them, to assess our detection rates, and to adjust our reactions is healthy.

1 more reply

whimsicalism1y ago

a prerequisite of “offensive security research” is that it is solicited, no ifs or buts.

what they did was absolutely wrong and frankly likely illegal

peanut-walrus1y ago

Yeah, it sucks, but that's the way it is. It is super common for bug bounty findings to be ignored or downgraded unless you show actual code exec on their machines or dump some of their creds.

j / k navigate · click thread line to collapse

0 comments

reubenmorais1y ago

xmodem1y ago

grajaganDev1y ago

Cursor asks researchers to report vulnerabilities to their GitHub security page.

The same incentive to show impact applies even without a paid bounty.

px431y ago

> Cursor does not have a bug bounty

1 more reply

miki1232111y ago

You can also console.log those credentials as a PoC, and then show that the console.log could trivially be replaced by a fetch().

objectified1y ago

1 more reply

mistercow1y ago

Alternatively, you could hash it and say “Look, it’s a sha of your database password hyphen “yougotpwnd””

necovek1y ago

HTTPS certificates should already have that public key for you, so it should be trivial.

Szpadel1y ago

wouldn't capturing only env names without values be ideal middle ground?

look we had access to your Aws tokens, we could take over your account but we didn't steal actual token, we just got proof that we could access it

reubenmorais1y ago

Yes I agree names only would have been a better approach here.

6mile1y ago

mcherm1y ago

> The reality is that bug bounty hunters are deploying a significant percentage of the total malicious NPM packages each month.

I don't actually think that is a bad thing.

1 more reply

whimsicalism1y ago

a prerequisite of “offensive security research” is that it is solicited, no ifs or buts.

what they did was absolutely wrong and frankly likely illegal

peanut-walrus1y ago

Yeah, it sucks, but that's the way it is. It is super common for bug bounty findings to be ignored or downgraded unless you show actual code exec on their machines or dump some of their creds.

j / k navigate · click thread line to collapse