The White House had an unexpected surprise on Tuesday when a hacker discovered and used a bug on publishing platform Medium to add himself as a writer to The White House’s blog.
Medium.com/@WhiteHouse is increasingly used as a major publishing tool for prominent U.S. officials, making it a target for hackers. The Obama administration utilized it to publish their 2016 fiscal budget and updates on the Ebola crisis, among dozens of other posts. On the other side of the aisle, the platform was used last year by Mitt Romney to announce he would not run for president.
Penetration tester and bug bounty hunter Allan Jay Dumanhug outlined in his own Medium blog post exactly how he closely examined the blogging website’s new “Invite Writers” feature and discovered a vulnerability allowing him access to all blogs without authorization. He added himself to the White House’s list of contributors. Dumanhug then reported the bug to the company and received a $250 reward. It took about 10 hours for Dumanhug to be removed as a writer for the White House.
The hacker would not have been able to post a story on the site without the account owner’s authorization, Medium representative Kate Manson told CyberScoop.
“They’ve got new features so there’s a possibility that there’s a security issues,” Dumanhug explained. “Then, I started testing the new feature by inviting my second email in my own publication to test how does the feature works.”
Dumanug intercepted the new invite feature’s HTTP POST Request which allowed him to substitute in any Medium blog he wanted, thereby gaining an invite and access. The White House’s page was his.
He found a similar bug earlier this year allowing him to update and delete stories by any user on Medium. To emphatically demonstrate the bug, Dumanug targeted the White House’s blog once again and gained enough control over the site to change or remove blog posts.
That discovery—and the restraint to not deface Obama’s blog—earned Dumanug a $350 bounty from Medium for his work.
Correction: A previous version of this story stated Dumanug could have published an entry on the White House’s blog. The bug only allowed him to add himself as a writer. He would not have been able to publish a story without the account owner’s authorization.