Researchers nab $4,000 bug bounty after discovering SSRF vulnerability in Snapchat’s ad platform

A group of security researchers have earned $4,000 after discovering a server-side request forgery (SSRF) vulnerability in Snapchat.

The team – Ben Sadeghipour, Sera Brocious, and Brett Buerhaus – were able to show that an SSRF flaw in the messaging app’s Ads Manager platform created a means to exfiltrate data from Snapchat’s internal endpoints.

More specifically, they were able to develop a custom webpage configured to utilize DNS rebinding to access sensitive web endpoints including Google’s metadata service.

“Using this they are able to mint tokens for the service-account assigned to the instance hosting the Chrome instances used for extracting webpages assets for media projects,” according to Snapchat in a write-up of the now-resolved vulnerability on HackerOne.

Sadeghipour and Brocious uncovered the vulnerability after noticing “weird behavior in the import function of the creative app” in the process of looking through Snapchat’s ad site.

The Daily Swig invited both Sadeghipour and Snapchat to comment on the vulnerability. We’ll update this story as and when more information comes to hand.

SSRF is a class of web security vulnerability where an attacker abuses the functionality of servers to perform actions on data that they would have no means to access directly.

Source: https://portswigger.net/daily-swig/researchers-nab-4-000-bug-bounty-after-discovering-ssrf-vulnerability-in-snapchats-ad-platform