The popular content writing and sharing platform Medium had a serious security flaw. The vulnerability basically existed in the Medium Partner Program, exploiting which could allow stealing writers’ earnings.
Medium Partner Program Vulnerability
Medium’s Partner Program allows writers to make money via their articles. The program considers the time Medium subscribers spend on reading those articles to generate the fee.
A security researcher Mohammad-Ali Bandzar has recently disclosed a security flaw affecting this program. He noticed that exploiting that vulnerability in Medium Partner Program could let an adversary siphon off writers’ earnings.
Describing the details in his Medium blog post, the researcher stated he found the Medium Partner Program endpoint doesn’t verify a userID for a valid logged-in session. Whereas, it would also accept any userID cookie value transmitted to it.
thus, an adversary could easily search for userID by going through the users’ profiles. As stated in the post,
It is incredibly easy to find out peoples userIDs all you have to do is navigate to their profile and search for “{\”id\”:” in the HTML code of the webpage to find out their userID and you will see that the Netflix Tech BlogUserID is :”c3aeaf49d8a4”(on a side note, these userIDs are meant to be public)
Hence, anyone could simply change the UID cookie to a subscriber and would load its own article to generate money. Medium would not validate the UID for an active session.
As PoC, the researcher exploited the bug to generate 34 cents before reporting the matter to Medium.
Also, he found that Medium Partner Program earnings are not as such related to the reading time.
Medium Deployed A Fix
Following his report, Medium deployed a fix for it. Though, according to Daily Swig, the researcher didn’t verify the fix.
He earned $250 as bounty, as his findings qualified the “Bugs allowing artificial manipulation of ranking and recommendation systems” criteria under the Medium’s Bug Bounty Disclosure Program.
Though, the researcher has clearly stated he isn’t sure if he was the first one to identify the flaw. In a situation otherwise, many writers had likely lost their earnings to potential attackers.