We pwned X, Vercel, Cursor, and Discord through a supply-chain attack

Original Article ↗ Hacker News Discussion ↗

Bug bounty payouts and exploit economics

  • Many commenters feel $4k–$5k is insultingly low for a vuln that can fully compromise high‑value accounts; some call it “bad PR” and “pathetic” relative to company size and risk.
  • Others argue it’s life‑changing money for a teenager and a strong CV signal that can lead to high‑paying jobs.
  • Several security professionals note that bug bounties are not priced by worst‑case impact but by market dynamics: XSS generally has little or no grey‑market value compared to long‑lived RCE chains on major platforms.
  • There’s debate about whether such underpayment nudges some researchers toward selling or weaponizing vulns instead of disclosing.

Severity and nature of the vulnerability

  • Core issue: untrusted SVGs with embedded JS, uploaded via Mintlify, executed in customers’ primary domains (e.g., discord.com), enabling XSS.
  • Impact ranges from DOM manipulation and phishing to full account takeover, depending on each site’s auth model (cookies vs localStorage, CSP, CSRF, MFA, separate auth domains).
  • Some emphasize that modern mitigations (HttpOnly, CSP, subdomains) can sharply reduce impact; others counter that control of the client session is effectively game‑over in many real deployments.
  • There’s confusion between XSS and “RCE”; linked writeups show a separate server‑side RCE on Mintlify itself.

“Supply-chain attack” terminology

  • Several argue this is misuse: the bug is in a dependency, not a malicious update inserted into the supply chain.
  • Others accept a broader definition: an upstream service (Mintlify) flaw transparently compromising downstream integrators.

Third‑party docs, origins, and mitigations

  • Strong criticism of serving third‑party docs from the main domain; many advocate separate domains/subdomains with tight CSP and host‑only cookies.
  • Some doc‑platform operators say they intentionally avoid features like inline auth or GitHub‑sync due to inherent security risks, despite customer/SEO pressure.

SVG and document formats as attack surface

  • Extensive discussion that SVG is effectively “HTML for images” and dangerous to treat as a simple image.
  • Stripping <script> isn’t enough; event attributes, external references, and nested SVGs can still execute code.
  • Recommended patterns:
    • Prefer <img src="..."> for untrusted SVGs; never inline them.
    • Use strict CSP (e.g., script-src 'none' on SVG endpoints).
    • Consider server‑side rasterization for user‑uploaded SVGs.
    • Sanitization is hard; existing tools are often minifiers, not true sanitizers.

Legality and practice of vulnerability research

  • Commenters warn that probing sites without explicit programs (HackerOne/Bugcrowd scopes, VDPs) can trigger legal action even for “white hats.”
  • Mention of evolving national laws that explicitly protect good‑faith security research, but coverage is inconsistent.

Security culture and AI/startup criticism

  • Some see this as emblematic of “move fast” AI/SaaS culture: flashy marketing and complex infra with weak security fundamentals.
  • Others note these mistakes predate AI and stem from long‑standing web‑dev practices (JS dependency sprawl, sloppy multi‑tenant designs, weak cookie scoping).

Value of young researchers

  • Many praise the technical skill and initiative of a 16‑year‑old finding this and suggest such people should be hired or sponsored.
  • Others note a single prolific bug hunter cannot replace systematic security engineering, pentests, and defense‑in‑depth.