This report was fully disclosed on 24 January 2020
An IP address appearing to be managed by “Urban Compass, Inc.” and running “Apache Airflow” is accessible to remote unauthenticated users causing sensitive information disclosure and potentially allowing for denial of service and service interruption.
Proof of Concept
The IP address in question is
126.96.36.199:8080. Simply opening the affected target in a web browser reveals sensitive information such as the slack token shown at
/admin/variable/. Additionally no authentication is required to make modifications within Apache Airflow.
Please see the attached screenshots for further proof.
- Implement proper access controls.
- Revoke affected credentials
At the time of publishing this report the reported issue has been resolved.
Response From Affected Party
Response from [email protected] 23 January 2020
Thanks for contacting this with this finding. We greatly appreciate the efforts of security researchers to help improve our security and keep our users and our site safe. We’re in the process of refreshing our security program and have a lot of security improvements in the works but don’t have a bug bounty program established today.
Since you’ve pointed out a resource that was unintentionally exposed we’d like to offer you a t-shirt as recognition for your help. We also plan to establish a hall of fame in the future for researchers who responsibly disclose security issues to us, if you’ll permit it.
Please let us know if you’d like to be sent a t-shirt and if you want to be included in that future resource. And, if you’re looking for a job and like automating security, please check out our careers page! We have a number of open roles for security engineers.
90 Fifth Avenue, 3rd Floor
New York NY 10011
- 22 January 2020: Affected Party Notified
- 23 January 2020: Affected Party Responded (+1 days)
- 23 January 2020: Affected Party Released Patch (+1 days)
- 24 January 2020: Report Published (+2 days)