One of the YAML files caught my attention.
Initially, I had no clue what were these passwords. So I started searching about the matrix thing.
I stumbled upon https://matrix.org and realized this is a communication client.
So, I visited https://app.element.io/#/login again. Added the custom server. Entered the leaked username and password. To my surprise, I was in.
As I logged in, I understood the creds were of a matrix bot. There was a hell lot of information like Grafana passwords, server logs, private keys, etc. in channel description itself. However, I immediately logged out and filed a report.
Reward 4000$
Takeaway for hackers:
- Do not give up or conclude too early. Try and research more.
- Try to escalate leaks but with caution. Do not go very deep.
Takeaway for companies:
- Purge the files just deleting a file doesn't work.
- Implement 2FA for all accounts.
Timeline:
7th Aug: Filed the report.
7th Aug: Bug was fixed by removing the file as well as refreshing the credentials. Additionally, 2FA was implemented.
11th Aug: 4000$ bounty reward.
data:
matrixbot-username: {{ .Values.matrixbot.username | default "some_leaked_username" | b64enc }}
matrixbot-password: {{ .Values.matrixbot.password | default "some_leaked_password" | b64enc }}
I stumbled upon https://matrix.org and realized this is a communication client.
Matrix is an open-source project that publishes the Matrix open standard for secure, decentralized, real-time communication, and its Apache-licensed reference implementations.
So, here's the plan. Find the client and try to log in and see if I was lucky enough. I found a web-based client at https://app.element.io/#/login attempted to log in, but it didn't work.
I almost gave up, but then I noticed that there is an option to have a self-hosted server. And it somehow summed up my theory that a DevOps person might have used it for some automation, so there was a YAML file, and hence it should be self-hosted.
Now I had to find the hosted server. And the most obvious step was to look for subdomains.
There were multiple subdomains, and, one that caught my attention was matrix.thewebsite.com
Visting the URL showed this, which was very convincing I am at the right place.
There were multiple subdomains, and, one that caught my attention was matrix.thewebsite.com
Takeaway for hackers:
- Do not give up or conclude too early. Try and research more.
- Try to escalate leaks but with caution. Do not go very deep.
- Purge the files just deleting a file doesn't work.
- Implement 2FA for all accounts.
7th Aug: Filed the report.
7th Aug: Bug was fixed by removing the file as well as refreshing the credentials. Additionally, 2FA was implemented.
11th Aug: 4000$ bounty reward.
