Imgur: Imgur dev environments facing the Internet

ID H1:100916
Type hackerone
Reporter nathonsecurity
Modified 2016-01-08T23:23:25


A security group configuration error allowed Imgur development environments to face the public internet. Typically these environments were protected behind a special endpoint which would open access to authenticated Imgur employees for a short time window. Since the development environments were configured in such a manner to make development easier, some keys and environment variables were exposed. While most of these pieces of sensitive information were limited to the development environments, some production information was also exposed. Since this report was published, security around development environments has been completely re-worked and they now reside behind a VPN. An additional $5,000 bounty was rewarded as a result of this report.