When we think of Spotify, we often think of Discover Weekly or the question "Do I really want this app as my preferred podcast player?" But one of the Swedish company's developments is actually a super popular developer tool, known as Backstage, which is used by large and well-known companies. However, an Israeli startup has recently found an interesting security weakness in it.
A tool with 16 million downloads per month
Backstage is a tool that Spotify developed internally for its development teams. The tool makes it possible to build portals that connect to all of the company's development processes and cloud services and allows the development teams to see in real-time which tools and services are running, to reach any such service, to install applications, and to read documentation of the various services – all from one place.
After using it for its development teams, Spotify decided to release the tool in open source and today it is used by huge companies in the market. In addition to Spotify, it is also used by companies such as Netflix, Splunk, American Airlines, HBO, Roku, Unity, Epic Games and several Israeli companies such as Palo Alto Networks, Yotpo and more. Plus, Backstage's library has 16 million downloads per month.
Today, the Israeli startup Oxeye revealed that it has identified a weakness in the tool, which allowed malicious actors to gain access to the development systems of all the companies that use Backstage. This is a Remote Code Execution via Sandbox Escape vulnerability, which allows an attacker to run code on the server that hosts Backstage.
In a conversation with Gigtime, Ron Vider, co-founder and CTO of the company, said that the research began by mapping potential attack surfaces, specifically in the application's third-party libraries, "One of the libraries we chose is a JavaScript library called VM2…The reason we focused specifically on this library is that we recognized that it receives inputs directly from the user," says Vider.
The Oxeye researchers discovered that by using JavaScript's error-handling mechanism, it was possible to run code without enforcement and control. Using the weakness, the researchers were able to create a unique input that allows bypassing the security mechanism and attacking Backstage servers.
Vider added that "In order to intensify the potential damage discovered from the research, we found that in some cases, there is a poor implementation of the authentication mechanism which allows a malicious attacker to exploit the weakness without the need for any preliminary information (such as a username and password, for example), and therefore, the result of the combination of these two vulnerabilities means that any Backstage usage that is exposed to the Internet can be attacked and exploited."
At Oxeye, of course, they carried out a closing process of the weakness in front of Spotify, which took care of closing it. Vider says that so far the company is not aware of any exploitation of the weakness.