Email Flaw Grants Access to Any Medium Page
Social Media // Web Services
A penetration tester figured out how to add himself to the White House’s Medium publication, Motherboard reports.
Allan Jay Dumanhug figured out how to add a person as an author to any Medium publication using the feature that adds authors by email, proving his concept with the White House’s Medium channel. The bug allowed him to swap out a 12-digit publication code in the invite’s HTTP request, and then he received an invitation to contribute.
A Medium spokeswoman told Motherboard the flaw allowed the invited person to submit drafts to the channel, but didn't allow the ability to publish.