July 26, 2023
In my journey as a security researcher, I often encounter interesting and complex vulnerabilities in various companies, big and small. This time, I want to take you through my recent discovery of a significant vulnerability I found in Railway, a platform popular amongst developers for its project-oriented hosting and deployment services.
Let's take a step back and get familiar with Railway. Unlike most social networks and web services, Railway tends to stay under the radar for most internet users, and rightfully so. The platform, mainly catering to developers, focuses on providing a seamless environment for deploying, managing, and collaborating on web-based projects.
Upon inspection, I found that Railway's GraphQL endpoint could be exploited to expose Personally Identifiable Information (PII) of its users, including their full names, emails, profile pictures, project data, git branches, and commit details. This type of data leak is particularly worrying as it could potentially expose sensitive project details and personal data, which could then be used maliciously.
The loophole was apparent when an unauthenticated user, armed with only the public domain of a targeted user's project, queried the vulnerable endpoint. Once executed, the exploit provided a rich set of data about the user and the associated project.
After identifying the vulnerability, I immediately contacted the Railway team, detailing the steps to reproduce the issue and emphasizing the risk of unauthorized data disclosure. To reproduce this issue, all that is required is a simple fetch request to the GraphQL endpoint from the DevTools console of your browser. With the right query string, the endpoint is tricked into revealing PII and other sensitive information.
Fortunately, upon receiving my report, the Railway security team acted promptly. They acknowledged the vulnerability and confirmed that my findings qualified for a payout according to their bug bounty program. Furthermore, they promptly patched the bug, demonstrating their commitment to their users' security.
In conclusion, I'm relieved that my report led to the swift resolution of this vulnerability, securing the private data of Railway's users. As security researchers, we are continually challenging systems and services, hoping to make the web a safer place for everyone. It's encouraging to see companies like Railway take these discoveries seriously and act quickly to mitigate risks. Their prompt action and acknowledgment of my work, including the $1,000 bounty, are highly appreciated.
Enjoyed this article?
Post about it!