Throne fixes security bug that exposed creators’ private home addresses


A recently fixed security bug at a popular platform for supporting creators shows how even privacy-focused platforms can put creators’ private information at risk.

Throne, founded in 2021, bills itself as “a fully secure, concierge wishlist service that acts as an intermediary between your fans and you.” Throne claims to support more than 200,000 creators by shipping out thousands of their wishlist items per day, all the while protecting the privacy of the creators’ home address.

The idea is that online creators, like streamers and gamers, can publish a wishlist of gifts that supporters can buy, and Throne acts as the go-between. “Your fans pay for the gifts and we handle the rest,” its website reads. “We make sure that the payment gets processed, that the item gets sent, and most importantly, that your private information stays private.”

But a group of good-faith hackers found a vulnerability that undermined that claim and exposed the private home addresses of its creator users.

Enter Zerforschung, the German collective of security researchers behind its latest discovery. You may remember the collective from December when they found and disclosed major security bugs in social media alternative Hive, which sprung to popularity in the exodus from Twitter under Elon Musk’s new ownership. Hive briefly shut itself down to fix the vulnerabilities found by Zerforschung, which allowed anyone to modify anyone else’s posts and access other people’s private messages.

Zerforschung told TechCrunch that they discovered the vulnerability in how the company set up its database, hosted on Google’s Firebase, to store data. The researchers said that the database was inadvertently configured to allow anyone on the internet to access the data inside, including session cookies for its Amazon accounts from the database, which can be used to break into an account without needing the password.

Session cookies are small bits of code that sit on your computer or device to keep users logged into apps and websites without having to repeatedly re-enter a password or sign-in with two-factor authentication. Because session cookies keep the user logged in, they can be an attractive target for hackers since they can be used to log in as if they were that user. That can also make it more difficult to detect when someone other than the user is misusing a session cookie.

With those Amazon session cookies, the security researchers found they could access Throne’s Amazon account used for ordering and sending gifts from a creator’s wishlist, without ever needing a password. The researchers said that anyone with the same session cookies, effectively the keys to Throne’s Amazon account, could log in and look back at thousands of orders and their creators’ names and addresses.

Zerforschung demonstrated the bug in a video call with TechCrunch last week, allowing us to verify their findings. The researchers showed us the thousands of orders placed through Throne’s Amazon account in the past few months, showing that the names and addresses of creators that Throne claimed to protect were exposed.

The collective of researchers reported the bug to Throne later the same day. Throne fixed the bug shortly after, and confirmed the security lapse in a blog post published this week, thanking Zerforschung for their findings.

“In late March a version of Throne was shipped which had misconfigured Firestore rules. This made it possible for the security researchers to read some data which should not have been available such as the blocked IP addresses we maintain for fraud prevention purposes and session cookies for a small subset of our merchant accounts,” Throne said.

But questions remain for the company. Throne says it used network logs to determine that “there was no risk and no unknown party had viewed any data.” Zerforschung disputes this claim, as Throne did not ask the collective for their IP addresses that the company could use to investigate the incident while ruling out the researchers’ activity.

Logs are important because they keep track of internal events, such as who logs in from where, and when. The logic goes that if security researchers like Zerforschung found the bug, it could be that malicious actors may have discovered it as well. It’s not clear if anyone else accessed or exfiltrated Throne data, or if Throne has the technical ability to determine what, if any, data was viewed.

Throne also claimed in its blog post that an unnamed German data privacy expert “confirmed that there was no data risk,” which doesn’t make sense since Zerforschung proved that to the contrary.

When reached for comment, Throne co-founder Patrice Becker reiterated much of Throne’s blog post in boilerplate remarks but declined to answer our specific questions or provide the name of the alleged data privacy expert from its blog post.

Becker did not dispute Zerforschung’s findings or the exposure of creators’ home addresses when asked about this.

#Throne #fixes #security #bug #exposed #creators #private #home #addresses


Related Posts

Marvel’s Blade Movie Delayed by Writer’s Strike

[ad_1] Marvel’s vampire hunter Blade is a fierce warrior but he may have finally met his match: labor unions. The upcoming, long-in-development reboot of the Marvel franchise…

How to Watch the Coronation of King Charles III Live

[ad_1] King Charles III officially shed his princedom when Queen Elizabeth II died, and the British royal’s new position will be formalized on May 6 in a coronation…

‘Quordle’ today: See each ‘Quordle’ answer and hints for May 6

[ad_1] If Quordle is a little too challenging today, you’ve come to the right place for hints. There aren’t just hints here, but the whole Quordle solution….

How to use a passkey instead of a password to sign into your Google account

[ad_1] Passwords have always been a necessary evil, giving you the choice of either using one that is too simple (so you can easily remember it) or…

Amazon quietly acquired audio content discovery engine Snackable AI to boost its podcast projects

[ad_1] Amazon quietly acquired New York-based audio content discovery engine Snackable AI last December to boost its podcast features, as first reported by New York Post. The…

Warhammer 40K’s New Tyranid Screamer-Killer Is a Great Update

[ad_1] A new edition of Warhammer 40K means new models—and for some of the 40-year-old wargaming franchise’s creatures and characters, that means updates they’ve not had in…

Leave a Reply

Your email address will not be published. Required fields are marked *