Skip to content

Instantly share code, notes, and snippets.

@nothings

nothings/patreon_vulnerability.md

Last active October 29, 2015 18:25
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save nothings/816517ba030dd057ea74 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save nothings/816517ba030dd057ea74 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
patreon_vulnerability.md

Patreon Vulnerability

Until 2015-10-13, Patreon had a flaw which allowed public access on their website patreon.com to certain information which was supposed to be private.

The following things were exposed:

  • Existence of users with "unlisted" profiles
  • Dollar amount given by every user to every campaign

However:

  • NO credit card numbers were exposed
  • NO passwords were exposed
  • NO physical addresses were exposed

Background

Patreon is a company which allows users ("patrons") to donate monthly (typically) to other users ("campaigns"). On the web page for each campaign you can find a list of patrons, but that list does not include unlisted users, nor does it include the amount each patron is giving to each campaign.

On 2015-09-30, Patreon announced that they had been hacked on 2015-09-28. The data from that hack was eventually publically released, and included full names, email addresses, some physical addresses, and donation amounts.

The information exposed by the vulnerability described here was all available in the leak; so the only things really exposed were donation amounts which had been changed or added in the two weeks since the leak.

Nature of the vulnerability

Patreon has a portion of their website devoted to a "JSON API" which returns information in a software-accessible format for use by other programs, most importantly the Patreon iOS app. Until they fixed the flaw on October 13th, certain simple requests to this API would return results which included the information described above which was supposed to be private.

Although the Patreon JSON API is not documented, it is straightforward to use by typing a fairly simple URL into a browser, and it did not require an "API key" or "secret" password to access, only the internal identifier of a user or campaign, which were typically visible in the "page source" for the public web pages.

Timeline

  • October 12th, 17:50 PDT: I'm notified of the Patreon 'leaky API' by a concerned thirdy party
  • October 12th, 19:31 PDT: I email Patreon with a description of the flaw
  • October 13th, 20:01 PDT: I receive email from a Patreon employee reporting the flaw is fixed and giving more details

Contact

I am not a professional or amateur security researcher, so if you are press I may not be the best person to contact. Regardless, I can be reached at sean@nothings.org

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment