peterldowns
commented
1 year ago A $1k bounty would be greatly appreciated, thank you :)
Closed peterldowns closed 1 year ago
peterldowns
commented
1 year ago A $1k bounty would be greatly appreciated, thank you :)
rma-stripe
commented
1 year ago Hi, you are welcome to submit reports to our bug bounty program https://hackerone.com/stripe.
peterldowns
commented
1 year ago Ok, thank you, I will do that shortly.
I see that someone has removed the website link from the repo’s sidebar — good. But most of the forks will still have the link (including your own). I think Stripe needs to recover control of the domain, as it’s still an excellent starting point for a phishing or supply chain contamination attack.
This is particularly important because the current repository does not contain install instructions, or any references to the official (maybe?) Dockerhub prebuilt image for veneur. The only instructions linking to the stripe/veneur image seemed to come from a link on the veneur.org home page
https://web.archive.org/web/20221207071347/https://veneur.org/
which linked to aditya’s website
Whoever has control over the website could easily direct developers to install a malicious container or download malicious code. Especially because veneur is such a security-sensitive project, designed to be run as a sidecar within private networking environments, this should be considered a high-risk problem.
peterldowns
commented
1 year ago Closing this issue since I have successfully reported the bug through hackerone, and Stripe does not plan to regain control of the domain.
This repository links to
https://veneur.orgin the sidebar, but this website seems to be empty/squatted/monetized and owned by someone other than Stripe. Whoever owns this website could easily impersonate Stripe and phish devs or drive developers to download malicious libraries or binaries.That website seems to be empty/squatted/monetized
The dig / whois make me think that this domain is no longer under Stripe's control:
dig veneur.org
``` ❯ dig veneur.org ; <<>> DiG 9.10.6 <<>> veneur.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12626 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;veneur.org. IN A ;; ANSWER SECTION: veneur.org. 476 IN CNAME 77980.bodis.com. 77980.bodis.com. 6827 IN A 199.59.243.223 ;; Query time: 36 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Jun 01 23:30:50 EDT 2023 ;; MSG SIZE rcvd: 84 ```whois veneur.org
``` ❯ whois veneur.org % IANA WHOIS server % for more information on IANA, visit http://www.iana.org % This query returned 1 object refer: whois.publicinterestregistry.org domain: ORG organisation: Public Interest Registry (PIR) address: 11911 Freedom Drive, address: 10th Floor, Suite 1000 address: Reston VA 20190 address: United States of America (the) contact: administrative name: Director of Operations, Compliance and Customer Support organisation: Public Interest Registry (PIR) address: 11911 Freedom Drive, address: 10th Floor, Suite 1000 address: Reston VA 20190 address: United States of America (the) phone: +1 703 889 5778 fax-no: +1 703 889 5779 e-mail: ops@pir.org contact: technical name: Senior Director, DNS Infrastructure Group organisation: Donuts Inc. address: 10500 NE 8th Street, Suite 750 address: Bellevue WA 98004 address: United States of America (the) phone: 1.425.298.2200 fax-no: 1.425.671.0020 e-mail: tldtech@donuts.email nserver: A0.ORG.AFILIAS-NST.INFO 199.19.56.1 2001:500:e:0:0:0:0:1 nserver: A2.ORG.AFILIAS-NST.INFO 199.249.112.1 2001:500:40:0:0:0:0:1 nserver: B0.ORG.AFILIAS-NST.ORG 199.19.54.1 2001:500:c:0:0:0:0:1 nserver: B2.ORG.AFILIAS-NST.ORG 199.249.120.1 2001:500:48:0:0:0:0:1 nserver: C0.ORG.AFILIAS-NST.INFO 199.19.53.1 2001:500:b:0:0:0:0:1 nserver: D0.ORG.AFILIAS-NST.ORG 199.19.57.1 2001:500:f:0:0:0:0:1 ds-rdata: 26974 8 2 4fede294c53f438a158c41d39489cd78a86beb0d8a0aeaff14745c0d16e1de32 whois: whois.publicinterestregistry.org status: ACTIVE remarks: Registration information: remarks: http://publicinterestregistry.org created: 1985-01-01 changed: 2022-06-03 source: IANA # whois.publicinterestregistry.org Domain Name: veneur.org Registry Domain ID: d030e50db06d446e9a6ff5e59c15e1f4-LROR Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2023-05-19T20:23:04Z Creation Date: 2017-05-19T20:20:40Z Registry Expiry Date: 2024-05-19T20:20:40Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: abuse@namecheap.com Registrar Abuse Contact Phone: +1.6613102107 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: autoRenewPeriod https://icann.org/epp#autoRenewPeriod Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Capital Region Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: IS Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: dns101.registrar-servers.com Name Server: dns102.registrar-servers.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2023-06-02T03:32:38Z <<< # whois.namecheap.com ```