Throne, a popular platform content creators use to get gifts from their fans, recently announced it had fixed a bug exposing its customers’ home addresses. Security researchers discovered a session cookie issue allowing unauthorized users to access Throne’s Amazon accounts. The company has since fixed this issue, but it’s unclear whether any malicious entities had abused this bug as well.
According to Throne, around 200,000 creators from around the world and their fans use its services. These creators span popular platforms like TikTok, Twitter, YouTube, and Twitch. Throne lets content creators make wishlists containing items from stores they’d like to have in the hopes their fans will fund the purchase. If a creator’s fans decide to pay for something on their list, Throne handles the buying and shipping process.
One of Throne’s selling points is its “privacy-first” approach as content creators’ delivery details are “stored securely and completely inaccessible to fans.” A group of ethical security hackers from Germany who go by the collective term Zerforschung found this isn’t quite true.
Ethical Hackers Discover Cookie Flaw Leaking Sensitive Data
Zerforschung, a collective of white-hat hackers and security researchers known for finding dangerous flaws in popular platforms, discovered the vulnerability in the company’s database configuration. Throne hosts its database on Google’s Firebase, and they use it to store important information, like session cookies for its Amazon accounts.
If you’re not familiar with how cookies work, it’s a complex system of data-hungry scripts that log and store almost everything about your connection and what you do online. The specific cookies at fault here are session cookies, which record information like your login details and multi-factor authentication approval. These cookies keep you logged into apps and websites so you don’t have to constantly log in again every time you use them.
Cybercriminals consider session cookies some of the most valuable data to steal, as these give them the power to pose as an authenticated user. You’ll commonly find these cookies used in session hijacking attacks, where malicious actors infiltrate your browsing sessions unnoticed and gain access to your systems as if they were you.
Zerforschung used the unprotected session cookies they discovered to access Throne’s Amazon account without the need to log in. This gave the researchers access to thousands of orders and the names and physical addresses of the creators they shipped to.
Throne Fixes the Bug, But Can’t Prove It Hasn’t Been Exploited
After the researchers reported the bug to Throne, the company worked quickly to fix the security issue and published a blog post about it. In its post, it says “[A] version of Throne was shipped which had misconfigured Firestore rules [in late March].” It also admitted the blocked IP addresses Throne maintains for fraud prevention was among the data researchers could access.
Throne then went on to say it had used network logs to determine “no data was compromised or viewed by any unknown party at any time.” This was likely in an effort to defeat any worries content creators might have about their safety. Yet it might prove a false claim as Zerforschung says in its own blog post, the company didn’t verify the collective’s IP addresses.
This way Throne could have ruled out the researchers’ activity while investigating the incident. A mistake like this creates some doubt about the validity of the company’s claim and may lull creators into a false sense of security. At this stage, it’s unclear whether anyone outside the research collective was aware of the bug and managed to infiltrate Throne’s Amazon sessions.
In its blog post, Throne also states “it was nearly impossible to link any data found in these merchant accounts to Throne user data, let us conclude that no data risk existed.” This statement directly contradicts Zerforschung’s findings, as the security researchers said they were able to see the names and addresses of creators who had used the service.
Throne seemingly wants to make this look like a non-event with wording such as “No data was accessed by unknown parties and so this article is only there for transparency.” Yet it hasn’t unequivocally proven this, especially given the feedback from the security research group that alerted Throne of the bug’s existence in the first place.
Digital Privacy Equals Physical Safety
For creators, this is a potential nightmare situation as many have had to deal with stalkers, death threats, and swatting attacks in the past. If cybercriminals did get access to this information, it could put creators’ lives at risk. Throne has built its whole existence on helping creators get gifts from fans while protecting their privacy, so it naturally wants to downplay the danger of this situation.
Even if you’re not a content creator, the idea that this level of potential intrusion into your personal life is possible should be alarming. Our digital and physical lives have become so interconnected, digital threats are inescapable. This means you need to start implementing safety measures for your digital devices and data, just as much as you would have alarms and locks to keep your house safe.
Protecting your digital data should include:
- Taking steps to limit who has access to your information by sharing less, turning on privacy settings, and scrutinizing the companies you share your data with.
- Vetting websites and apps before you use them to make sure they’re legitimate and safe.
- Adopting safe digital habits like using secure passwords and activating multi factor authentication.
- Implementing security tools like antivirus programs and VPNs.