Lido UI Potential Malicious Code Injection - Bug Bounty Report

On 21.02.2022 Lido has received Immunefi report from the United Global Whitehat Security Team on a vulnerability affecting a number Lido UIs, including landing page lido.fi, Ethereum & Terra staking widgets stake.lido.fi & terra.lido.fi, Easy Track UI easytrack.lido.fi and two informational pages lego.lido.fi & careers.lido.fi. The vulnerability consisted in the way the nextjs’ 'image' module handles particular missing file edge-case, allowing for malicious code injection on lido.fi, stake.lido.fi, terra.lido.fi & easytrack.lido.fi and open redirect from lego.lido.fi & careers.lido.fi.

The vulnerability has been patched for all reported domains in 5.25 hours after receiving the report, and based on url access logs no user have been affected.

During the investigation, we discovered that the endpoints would reflect whatever was supplied in the url parameter for the nextjs image component endpoint. So,if we browse to https://lido.fi/next/image?url=/testing/&w=256&q=7, the phrase testing will appear in the HTTP response. The image endpoint was vulnerable to MIME sniffing, according to the researcher, since it lacked a content-type header and X-Content-Type-Options: nosniff header. As a result, the researcher was able to create a proof-of-concept that executed javascript in context on lido domains using MIME sniffing techniques.

Malicious code injection potentially allowed attacker to change the page contents & hijack user input on Lido-owned domain. That makes the vulnerability of critical impact, as attacker could craft the specific link to, say, stake.lido.fi, so the users following that link would be sending funds to attacker’s wallet instead of Lido staking contracts. Another high-impact attack vector example would be preparing a link adding “share your seed phrase” form to lido.fi landing page.

Informational pages lego.lido.fi & careers.lido.fi weren’t vulnerable to malicious code injection, but allowed for open redirect: user following a specifically formatted link to lido to lego.lido.fi or careers.lido.fi could have been redirected to another web domain, allowing for making legit-looking phishing links, but not pages. Note that in this case the domain would be different from the Lido-owned one, decreasing the potential impact.

With the phishing being pervasive issue for web3 projects, such vulnerability could have significant impact. We’re very grateful to the United Global Whitehat Security Team for the report and all the effort went into preparation & checks, as well as to Immunefi for facilitating the communication. Two bounties for the vulnerabilities have been payed out, one for critical and one for low tiers on malicious code injection and open redirect respectively.

Stay safe out there!