The React2Shell Story and What Happened Next.js

15 points by mtlynch

mtlynch

I found it interesting reading about the process of monetizing the vulnerability through bug bounty programs. She says:

In what ended up being responsible for the vast majority of the bounty money I ended up getting from this, Vercel, to their credit, did in fact put their money where their mouth was, and began offering $50k per unique bypass to their WAF on HackerOne.

...

Vercel ended up paying out for 23 unique bypasses, five of which belonged to Lachlan and myself.

If I'm understanding correctly, the two researchers:

  1. Found an RCE in React
  2. Reported the vulnerability to Meta, who maintains React
  3. Tried to find vendors with bug bounty programs that would pay them for proving their site was vulnerable after Meta announces the vulnerability but before the vendor has time to deploy the fix
  4. Once the CVE was published, started testing proofs of concept on the vendors they identified in (3)
  5. In the process of (4), discovered that Vercel's web application firewall (WAF) was blocking their proofs of concept because Vercel had early access to the CVE before the general public and added it to their WAF
  6. In trying to get around Vercel's WAF, they found 5 vulnerabilities ($50k x 5, split two ways, not necessarily 50-50) in the firewall itself, which earned Sylvie more money than she made on React2shell.

Neither of them disclosed how they split the bounty money or what Meta paid. If they were splitting everything 50-50, then I'm surprised they made more from Vercel than Meta. React2shell was much more technically sophisticated, had a larger impact, and has a maintainer With deeper pockets. But it's entirely possible that Lachlan kept most or all of the bounty from Meta, since he was the lead on that, and Sylvie led the second-order effect bounty project.

adamshaylor

I don’t enjoy learning how the Flight Protocol works while simultaneously being assured by RSC apologists that I do not need to know that there is such a thing as a Flight Protocol. This is not just about React2Shell, although something as complicated as an RPC protocol is bound to have more vulnerabilities than REST-ish APIs. No, my beef is about a design philosophy that consistently hides details from developers that they actually want and need to know and has been steadily taking React from a comprehensible, focused framework for the benefit of the broader open source community to an opaque, amorphous SDK for a company with a rather cavalier attitude toward security.