abusesaffiliationarrow-downarrow-leftarrow-rightarrow-upattack-typeburgerchevron-downchevron-leftchevron-rightchevron-upClock iconclosedeletedevelopment-povertydiscriminationdollardownloademailenvironmentexternal-linkfacebookfiltergenderglobegroupshealthC4067174-3DD9-4B9E-AD64-284FDAAE6338@1xinformation-outlineinformationinstagraminvestment-trade-globalisationissueslabourlanguagesShapeCombined Shapeline, chart, up, arrow, graphLinkedInlocationmap-pinminusnewsorganisationotheroverviewpluspreviewArtboard 185profilerefreshIconnewssearchsecurityPathStock downStock steadyStock uptagticktooltiptwitteruniversalityweb

這頁面沒有繁體中文版本,現以English顯示

文章

6 四月 2023

作者:
Zack Whittaker, TechCrunch

Security researchers expose security bug on Throne that allowed the creator's private home addresses to be accessed

"Throne fixes security bug that exposed creators’ private home addresses", 6 April 2023

A recently fixed security bug at a popular platform for supporting creators shows how even privacy-focused platforms can put creators’ private information at risk.

Throne, founded in 2021, bills itself as “a fully secure, concierge wishlist service that acts as an intermediary between your fans and you.” Throne claims to support more than 200,000 creators by shipping out thousands of their wish list items per day, all the while protecting the privacy of the creators’ home address.

The idea is that online creators, like streamers and gamers, can publish a wish list of gifts that supporters can buy, and Throne acts as the go-between. “Your fans pay for the gifts and we handle the rest,” its website reads. “We make sure that the payment gets processed, that the item gets sent, and most importantly, that your private information stays private.”

But a group of good-faith hackers found a vulnerability that undermined that claim and exposed the private home addresses of its creator users.

Enter Zerforschung, the German collective of security researchers behind its latest discovery.

Zerforschung told TechCrunch that they discovered the vulnerability in how the company set up its database, hosted on Google’s Firebase, to store data. The researchers said that the database was inadvertently configured to allow anyone on the internet to access the data inside, including session cookies for its Amazon accounts from the database, which can be used to break into an account without needing the password.

With those Amazon session cookies, the security researchers found they could access Throne’s Amazon account used for ordering and sending gifts from a creator’s wish list, without ever needing a password. The researchers said that anyone with the same session cookies, effectively the keys to Throne’s Amazon account, could log in and look back at thousands of orders and their creators’ names and addresses.

The collective of researchers reported the bug to Throne later the same day. Throne fixed the bug shortly after, and confirmed the security lapse in a blog post published this week, thanking Zerforschung for their findings.

But questions remain for the company. Throne says it used network logs to determine that “there was no risk and no unknown party had viewed any data.” Zerforschung disputes this claim, as Throne did not ask the collective for their IP addresses that the company could use to investigate the incident while ruling out the researchers’ activity.

Throne also claimed in its blog post that an unnamed German data privacy expert “confirmed that there was no data risk,” which doesn’t make sense since Zerforschung proved that to the contrary.

When reached for comment, Throne co-founder Patrice Becker reiterated much of Throne’s blog post in boilerplate remarks but declined to answer our specific questions or provide the name of the alleged data privacy expert from its blog post.

Becker did not dispute Zerforschung’s findings or the exposure of creators’ home addresses when asked about this.

隱私資訊

本網站使用 cookie 和其他網絡存儲技術。您可以在下方設置您的隱私選項。您所作的更改將立即生效。

有關我們使用網絡儲存技術的更多資訊,請參閱我們的 數據使用和 Cookie 政策

Strictly necessary storage

ON
OFF

Necessary storage enables core site functionality. This site cannot function without it, so it can only be disabled by changing settings in your browser.

分析cookie

ON
OFF

您瀏覽本網頁時我們將以Google Analytics收集信息。接受此cookie將有助我們理解您的瀏覽資訊,並協助我們改善呈現資訊的方法。所有分析資訊都以匿名方式收集,我們並不能用相關資訊得到您的個人信息。谷歌在所有主要瀏覽器中都提供退出Google Analytics的添加應用程式。

市場營銷cookies

ON
OFF

我們從第三方網站獲得企業責任資訊,當中包括社交媒體和搜尋引擎。這些cookie協助我們理解相關瀏覽數據。

您在此網站上的隱私選項

本網站使用 cookie 和其他網絡儲存技術來增強您在必要核心功能之外的體驗。