background
i like to do this thing where i search twitter, looking for companies, and then try giving them a quick pentest. i've done a lot of my hacks this way and its more effective than you think it is.
on this search, i use the "Relevant People" tab more often than you think, this is how i got to a16z
- crypto bullshit -> venture capital firms for crypto -> a16z crypto -> a16z
the hack
while looking into a16z, i did a usual subdomain scan and used tooling from lunchcat which does common checks on domains, scanning for secrets in js files, etc.
in this search, i came across portfolio.a16z.com
, a site that seems like a portfolio management tool for companies that are in a16z. while doing cursory checks like i usually do, lunchcat seemed to catch a AWS key referenced somewhere in the website.
i confirmed this and what i saw in the js, was this.
{
MARKETPLACE_URL: "<REDACTED>",
DATABASE_URL: "<REDACTED>",
SALESFORCE_CLIENT_ID: "<REDACTED>",
SALESFORCE_SECURITY_TOKEN: "<REDACTED>",
npm_config_user_agent: "<REDACTED>",
SALESFORCE_CLIENT_SECRET: "<REDACTED>",
SALESFORCE_USERNAME: "<REDACTED>",
OKTA_CLIENT_ID: "<REDACTED>",
OKTA_CLIENT_SECRET: "<REDACTED>",
SESSION_SECRET: "<REDACTED>",
API_USERNAME: "<REDACTED>",
GOOGLE_CLIENT_ID_DEVELOPMENT: "<REDACTED>",
CLIENT_TOKEN_SECRET: "<REDACTED>",
GOOGLE_CLIENT_SECRET_DEVELOPMENT: "<REDACTED>",
AWS_BUCKET_NAME: "<REDACTED>",
npm_config_prefix: "<REDACTED>",
REACT_APP_SENTRY_DSN: "<REDACTED>",
AWS_BUCKET_TEAM_PAGES: "<REDACTED>",
MAILGUN_API_KEY: "<REDACTED>",
GOOGLE_CLIENT_ID: "<REDACTED>",
AWS_LOGO_BUCKET_URL: "<REDACTED>",
SALESFORCE_KEY: "<REDACTED>",
GOOGLE_CLIENT_SECRET: "<REDACTED>",
PAPERTRAIL_API_TOKEN: "<REDACTED>",
MAILGUN_PASSWORD: "<REDACTED>",
OKTA_CALLBACK_URL: "<REDACTED>",
SALESFORCE_PASSWORD: "<REDACTED>",
MAILGUN_USER: "<REDACTED>",
AWS_ACCESS_KEY_ID: "<REDACTED>",
PNPM_CONFIG_CACHE: "<REDACTED>",
AWS_SECRET_ACCESS_KEY: "<REDACTED>",
MAILGUN_DOMAIN: "<REDACTED>",
GOOGLE_CALLBACK_URL_DEVELOPMENT: "<REDACTED>",
API_PASSWORD: "<REDACTED>",
SENTRY_DSN: "<REDACTED>",
SALESFORCE_LOGIN_URL: "<REDACTED>",
COOKIE_SECRET: "<REDACTED>",
OKTA_DOMAIN: "<REDACTED>",
NODE_MODULES_CACHE: "<REDACTED>",
GOOGLE_CALLBACK_URL: "<REDACTED>",,
NODE_ENV: "<REDACTED>",
HEROKU_POSTGRESQL_CRIMSON_URL: "<REDACTED>",
TALENTPLACE_URL: "<REDACTED>",
}
this was. horrifying, it was the entire process.env
of a heroku instance, in the JS. put in dynamically.
i did a quick valid look of the credentials and they didnt seem like fake credentials. they. were. real. and all someone had to do find them was go to the sources tab of inspect element.
impact
the compromised list of services:
- their database (containing PII)
- their AWS
- their salesforce (never checked, account may be limited)
- mailgun (arbitrary emails from a16z domains, and also could read older emails)
- ... and probably more
reward
a16z did not give me any bug bounty on this because of the fact i publicly reached out instead of trying to reach out privately. the only reason i did it this way was because:
- there was no available contact on their main site
- the email i could find
engineering@a16z.com
bounced my emails
so, i dunno. imo this is unfair.
related
techcrunch article (lorenzo reached out to me seeing my tweet trying to get in contact with them and wrote a piece!): https://techcrunch.com/2024/07/18/researcher-finds-flaw-in-a16z-website-that-exposed-some-company-data/