We pwned X, Vercel, Cursor, and Discord through a supply-chain attack
a day ago
- #XSS
- #Bug Bounty
- #Cybersecurity
- Daniel, a 16-year-old high school senior, found a critical cross-site scripting (XSS) vulnerability in Mintlify, an AI documentation platform used by top companies like Discord, X (Twitter), and Vercel.
- The vulnerability allowed attackers to inject malicious scripts into documentation sites, potentially stealing user credentials with a single link click.
- Daniel discovered an endpoint in Mintlify's API that fetched static files from any subdomain without proper validation, enabling the XSS attack via SVG files containing embedded JavaScript.
- After reporting the issue, Discord temporarily shut down its developer documentation, reverted to its old platform, and removed Mintlify routes.
- Mintlify quickly addressed the vulnerabilities, and the team collectively received around $11,000 in bug bounties from Discord and Mintlify.
- The incident highlights the risks of supply chain vulnerabilities, where a single compromised service can impact multiple high-profile companies.