Snapchat has awarded researchers a total of $20,000 for finding exposed Jenkins instances that allowed arbitrary code execution and provided access to sensitive data.
Three months ago, Belgium-based researcher Preben Ver Eecke was analyzing Snapchat’s infrastructure when he discovered a production Jenkins instance that could be accessed with any valid Google account.
Jenkins is a self-contained, open source automation server used by developers to automate various tasks, including building, testing and deploying software.
Once logged in to the vulnerable Jenkins instance, the expert gained access to sensitive API tokens and some source code for public applications. Ver Eecke also managed to execute arbitrary code through the Jenkins Script Console.
The vulnerability was reported to Snapchat through its HackedOne-based bug bounty program. The company initially awarded the researcher $12,000 for his findings and later decided to give him a $3,000 bonus.
This time, however, it was a test Jenkins instance. While an attacker could have exploited the access to execute arbitrary code via the Jenkins Script Console, the instance did not store any source code or other resources. The vulnerability earned the researcher $5,000.
In a blog post published this week, Sadeghipour revealed that he discovered the exposed Jenkins instance by conducting a search via the Censys search engine:
“Going through the results, there was a subdomain, REDACTED-jenkins-Environment.sc-corp.net, that pointed the user to login in order to see what’s on that site,” the white hat hacker explained. “At this point, I wondered if there’s a prod environment, there’s got to be more so let’s look for them. To speed up my process I used script that would look for different permutations of REDACTED-jenkins-$env.sc-corp.net with the following list: ‘dev, alpha, stage, prod, beta, local, test’. As expected a few of those returned with 302 as their response code, which hinted that they may be behind a login.”
Sadeghipour advised organizations to ensure that their Jenkins instances are protected, as they can often provide access to credentials, API keys and source code. He also advised bug bounty hunters looking for exposed Jenkins instances to ensure that the access they obtain is exploitable before submitting a report to the respective vendor’s bug bounty program.