Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeronePeterldownsH1:2011298
HistoryJun 02, 2023 - 5:08 p.m.

Stripe: The `stripe/veneur` GitHub repository links to a domain `veneur.org`, which is not under stripe's control

2023-06-0217:08:21
peterldowns
hackerone.com
19
stripe
veneur
github repository
uncontrolled domain
phishing
supply chain attacks
JSON

Initially reported at https://github.com/stripe/veneur/issues/1058. Since that report, the repository’s sidebar has been updated to no longer link to the uncontrolled domain. Many of the 179 forks of this repository still contain the link to the uncontrolled domain.

Summary:

  • The github.com/stripe/veneur repository contains security-sensitive code which is designed to run within a company’s private network, often as a sidecar on each of their application servers.
  • The repository’s README and documentation does not contain instructions for installing veneur. Instead, it linked to an external domain, https://veneur.org, which contained those instructions.
  • The https://veneur.org domain appears to be no longer under Stripe’s control.
  • If the website is not under Stripe’s control, it is an easily exploitable vector for a phishing or supply chain contamination attack. The targets of this attack would be user’s of the open source release of veneur (not specifically Stripe), and Stripe customers.
  • Example attack:
    • step one: control https://veneur.org, either because you are the current owner or you purchase the domain.
    • step two: recreate the old site, but edit the installation instructions to reference malicious source code or a docker image built with malicious code.
    • step three: a veneur user follows the instructions
    • outcome: attacker-controlled code/image running inside a privileged environment.
  • Example attack two:
    • step one: control https://veneur.org, either because you are the current owner or you purchase the domain.
    • step two: replace the contents of the website with a fake Stripe login screen.
    • step three: a veneur user, who is likely to also be a Stripe user, enters their username and password into the fake login screen.
    • outcome: attacker gains access to privileged credentials. Because the https://veneur.org website is linked to by an official, Stripe-controlled repository, there is a much greater likelihood that the attack will succeedd than if it had to operate on a different domain.

Steps To Reproduce:

  1. Visit https://github.com/stripe/veneur
  2. Click on the https://veneur.org link in the sidebar.

Since I initially reported this issue in the Github repository, at https://github.com/stripe/veneur/issues/1058 , the sidebar has been edited to no longer link to https://veneur.org. Many of the 179 forks of this repository still contain the link to the uncontrolled domain.

Supporting Material/References:

Initial report with images:

The link in the sidebar:

The contents of the website currently:

Impact

An attacker can easily impersonate Stripe, taking advantage of the fact that this website is linked to by an official Stripe-owned web page. They can use this as the beginning of a phishing or a supply-chain contamination attack targeting Stripe’s customers.

JSON