This report was fully disclosed on 24 January 2020

Summary

An IP address appearing to be managed by “Urban Compass, Inc.” and running “Apache Airflow” is accessible to remote unauthenticated users causing sensitive information disclosure and potentially allowing for denial of service and service interruption.

Proof of Concept

The IP address in question is 3.91.40.185:8080. Simply opening the affected target in a web browser reveals sensitive information such as the slack token shown at /admin/variable/. Additionally no authentication is required to make modifications within Apache Airflow. Please see the attached screenshots for further proof.

image tooltip here image tooltip here
  • Implement proper access controls.
  • Revoke affected credentials

Remediation Status

At the time of publishing this report the reported issue has been resolved.

Response From Affected Party

Response from [email protected] 23 January 2020

Hi GlitchWitch,

Thanks for contacting this with this finding. We greatly appreciate the efforts of security researchers to help improve our security and keep our users and our site safe. We’re in the process of refreshing our security program and have a lot of security improvements in the works but don’t have a bug bounty program established today.

Since you’ve pointed out a resource that was unintentionally exposed we’d like to offer you a t-shirt as recognition for your help. We also plan to establish a hall of fame in the future for researchers who responsibly disclose security issues to us, if you’ll permit it.

Please let us know if you’d like to be sent a t-shirt and if you want to be included in that future resource. And, if you’re looking for a job and like automating security, please check out our careers page! We have a number of open roles for security engineers.

Cade Cairns

Security Engineer‌

90 Fifth Avenue, 3rd Floor

New York NY 10011

https://s3.amazonaws.com/images89845315676/national_2019.gif

Timeline

  • 22 January 2020: Affected Party Notified
  • 23 January 2020: Affected Party Responded (+1 days)
  • 23 January 2020: Affected Party Released Patch (+1 days)
  • 24 January 2020: Report Published (+2 days)