Spotify has patched a critical backstage catalog and developer platform vulnerability. Researchers at Oxeye spotted the vulnerability in Spotify’s bug bounty program. The researchers gained remote code execution in Spotify’s open source, CNCF-incubated project—Backstage, by exploiting a VM sandbox escape through the vm2 third-party library.
A backstage vulnerability at Spotify
“Backstage – a CNCF incubated project by Spotify, is one of the most popular open source platforms for building developer portals. It restores order to your microservices and infrastructure, thus enabling your product teams to ship high-quality code quickly without compromising autonomy,” said the Oxeye report.
Spotify’s backstage catalog caters to several organizations including American airlines, epic games, Netflix, etc. This vulnerability in Spotify was open to being triggered using a recently disclosed VM sandbox escape flaw in the vm2 third-party library. Remote code execution allows hackers to run any code on the hacked device and perform malicious activities. All this is if the user has unknowingly downloaded malware on their device. It can cause loss of system data, increased access through lateral movement to other connected systems, launching ransomware, disruption of apps, etc.
After executing their own payloads, the researchers found the impact of the bug. Following this, they ran a simple query for the backstage favicon hash in Shodan which led to 500 instances getting exposed. It was also found that the backstage was accessible without much authentication. This led to the observation that the vulnerability could be exploited by cybercriminals without needing much authentication. Businesses using backstage are asked to update it to its latest version to avoid being open to exploitation.
Acquiring JavaScript execution rights within the template and using proper template engines are also recommended as the wrong one can lead to threat and exposure. Backstage is a popular open-source platform that has over 19,000 stars on GitHub. It is used for building developer portals and offering services related to microservices and infrastructure, streamlining the development environment, and holding integration details among others.
Following the alert, the Spotify team released an update in version 1.5.1 to patch the vulnerability. The fix to this vulnerability in Spotify was found after researchers from Oxeye discovered a vm2 sandbox escape vulnerability causing remote code execution.