Disclosure of a vulnerability that allows the theft of visitors' email addresses using Medium's custom domain feature
- This article describes a vulnerability in a web service called Medium that allows you to steal visitors' e-mail addresses by using custom domain plan of Medium.
- This is done as my personal activity and is not related to my organization.
- I'm not a zero-day guy and this is simply the result of a failure of coordinated disclosure.
- This vulnerability has not been fixed as of the time this article is published (2023-07-13).
- I have notified Medium with sufficient time for disclosure, but have not received a response, and a reasonable period of time that would be required for a fix has passed, and I believe it is in the greater public interest to disclose this information.
- The purpose is to alert the public and to discuss this type of issue, not to suggest abuse.
- 2023-07-22 New applications for custom domains have been suspended (also mentioned in email reply from Medium)
- 2023-08-17 I confirm that the local part of the email address is masked except for the first two characters
Although Medium has implemented some mitigations, the issue has not been fully fixed and Medium's logged-in users are still at risk.
The email address is now masked, but the auto-login for the custom domain remains the same, and the visitor's Medium account can still be identified. As such, it is still possible to identify a visitor if the owner of a custom domain that has already been set up is malicious. Also, the domain part and the first two characters of the email address are not masked, so the full email address may be inferred or the mask may not work. eg: firstname.lastname@example.org
How to reproduce
- Pay $5/month to Medium and subscribe to Medium Membership.
- Set up your own domain as a custom domain e.g.: Set medium.example.com as a custom domain on the Medium side, and specify the IP address of the Medium server in the A record in the DNS settings.
- Confirm that you can connect to your blog with the custom domain.
- Change the A record of medium.example.com to the IP address of your own server and set up a proxy server.
- The Proxy server will keep the request header from the client and the Host header of medium.example.com, and specify the IP address of the Medium server as upstream to relay the request.
- The Proxy server can steal the response content received by the visitor.
- When a visitor logs into medium.example.com, the response of the graphql endpoint includes the visitor's e-mail address and so on.
Self-protection measures on the user side
- Log out of Medium.
- Since it is not known in advance which sites are using Medium, and logging in to Medium may automatically log you in to custom domains, you cannot protect yourself unless you log out of Medium beforehand.
- Complain to Medium
Timeline (Timezone: GMT+9)
- 2022-12-24 Reported to email@example.com that a custom domain's graphql endpoint is returning emails, etc.
- 2022-12-30 Medium replies that they are not accepting any potential problems and that the DNS servers are under Medium's control.
- 2022-12-31 mala to Medium: reply that it is not a potential problem but a low-cost problem to collect emails from medium users and that the DNS servers can be changed by the domain owner at any time.
- 2023-01-02 mala to Medium: create and send demo and video
- 2023-01-17 mala to Medium: urged to reply. Medium replied saying they would let me know if they had any additional information.
- 2023-05-12 mala to Medium: informing them that if there are no effective fixes, mitigations, or user clarifications within a month, I will disclose them.
- 2023-06-12 Due date but no reply from Medium.
- I was busy.
- 2023-07-13 No reply from Medium, confirms that graphql endpoint on own domain continues to return responses including visitor's email address, discloses vulnerability
- 2023-07-18 Medium to mala: Received a notification that it was being treated as an invalid bug and they asked if it was possible to delete Tweets and this gist.
- 2023-07-19 Medium to mala: They says that test and fix will be completed in few days.
- 2023-07-19 I temporarily unpublished this gist (assuming it will be resolved in a few days)
- 2023-07-22 Medium to mala: They says that they has stopped accepting new custom domain and some solution will be rolled out soon.
- 2023-07-27 mala to Medium: I asked when "soon" and "few days"
- 2023-07-28 Medium to mala: They says investigation and fix in progress, will be deployed when ready
- 2023-08-15 I got $1500 from Medium
- 2023-08-17 I confirm that the local part of the email address is masked except for the first two characters. I published this gist again