Throne fixes security bug that exposed creators’ private home addresses

/in


A recently fixed security bug at a popular platform for supporting creators shows how even privacy-focused platforms can put creators’ private information at risk.

Throne, founded in 2021, bills itself as “a fully secure, concierge wishlist service that acts as an intermediary between your fans and you.” Throne claims to support more than 200,000 creators by shipping out thousands of their wish list items per day, all the while protecting the privacy of the creators’ home address.

The idea is that online creators, like streamers and gamers, can publish a wish list of gifts that supporters can buy, and Throne acts as the go-between. “Your fans pay for the gifts and we handle the rest,” its website reads. “We make sure that the payment gets processed, that the item gets sent, and most importantly, that your private information stays private.”

But a group of good-faith hackers found a vulnerability that undermined that claim and exposed the private home addresses of its creator users.

Enter Zerforschung, the German collective of security researchers behind its latest discovery. You may remember the collective from December when they found and disclosed major security bugs in social media alternative Hive, which sprung to popularity in the exodus from Twitter under Elon Musk’s new ownership. Hive briefly shut itself down to fix the vulnerabilities found by Zerforschung, which allowed anyone to modify anyone else’s posts and access other people’s private messages.

Zerforschung told TechCrunch that they discovered the vulnerability in how the company set up its database, hosted on Google’s Firebase, to store data. The researchers said that the database was inadvertently configured to allow anyone on the internet to access the data inside, including session cookies for its Amazon accounts from the database, which can be used to break into an account without needing the password.

Session cookies are small bits of code that sit on your computer or device to keep users logged into apps and websites without having to repeatedly re-enter a password or sign-in with two-factor authentication. Because session cookies keep the user logged in, they can be an…

Source…