Dylan Ayrey

THE DIG

August 3, 2023

Discovering a Vulnerability in Forager AuthZ, Hours before Public Launch

Discovering a Vulnerability in Forager AuthZ, Hours before Public Launch

Dylan Ayrey

August 3, 2023

We’re happy to announce our team fixed an authorization vulnerability in our new public scanning tool, Forager, prior to public launch. This wouldn’t have been possible without the incredible support of the infosec community. Specifically thank you to Tushar Bhardwaj for disclosing the issue.

We’re sharing this post for a few reasons: (1) we believe in transparency, (2) we want to express gratitude to the researcher that came forward to disclose the vulnerability, and (3) we’d like to encourage other security organizations to follow a similar path for disclosing critical vulnerabilities to their customer base.

A few weeks ago, we gave a few infosec hobbyists and professionals early access to Forager. This was done in a few tranches, through curated private invites, and ultimately through waitlist.

In one of these tranches, a researcher discovered they could manipulate and take over user accounts due to a flaw in our o365 single sign on implementation, which was set up alongside Google SSO.

After reviewing our access logs and confirming no one had abused the issue, we quickly remediated the vulnerability. Later the same day, with the issue resolved and our confidence restored, we proudly and publicly launched Forager.

This event truly reinforced the importance of the cybersecurity community; bug bounty hunters and ethical hackers are indispensable to safeguarding our digital world.

As we wrap up this post, I’d like to extend a personal thank you to the researcher who helped us identify and rectify this vulnerability before we went live. You’ve exemplified the reason why we advocate for active security research.

We’re sincerely grateful that you lent your expertise to our platform, providing an extra layer of confidence as we launched Forager. You found the flaw before any potential attacker, turning what could have been a rough start into a powerful reminder of the strength of community-driven security.