Some of you might be aware via social media that a vulnerability in our Call for Papers system was brought to our attention, and has been successfully mitigated. In the interests of transparency, we thought we should present a quick rundown on what happened.
One of Black Hat’s Review Board members, Felix 'FX' Lindner, has a colleague named Joern Schneeweisz (@joernchen) who is co-hosting a training course at Black Hat USA 2014 called Ruby on Rails – Auditing & Exploiting the Popular Web Framework. Since Felix is aware that our Call for Papers system is based on the Ruby on Rails platform, it was suggested that Joern try some of his research on our system.
Joern proceeded to test out his course methods on our CFP to tease out potential exploits, and was able to find a privilege escalation exploit related to the password reset function. This enabled him to log on as an admin to the system. He then responsibly disclosed this information to us, and we have patched our system to fix this particular issue.
Black Hat would like to thank Joern for bringing this to our attention and disclosing responsibly. No information leak occurred as a result of this, and Joern will be blogging about more specifics on the exploit in the near future. (In addition, if you work with Ruby on Rails, you may want to attend Joern’s training at Black Hat USA in August!)
The Black Hat Team