Gainsight, a provider of customer success software, addressed a security vulnerability in its Product Experience (PX) platform after being alerted by cybersecurity firm Varonis. The flaw, identified as a novel supply chain attack vector, originated from a misconfigured Amazon Web Services (AWS) S3 bucket. Gainsight PX is an application available on the Salesforce AppExchange, a marketplace for business apps.

The issue was discovered by a security researcher from Varonis Threat Labs who found a public-facing AWS S3 bucket belonging to Gainsight. An investigation revealed the bucket contained a JavaScript file named ‘gainsight-px’ which was configured with write permissions for any authenticated AWS user. This misconfiguration created a direct path for a potential supply chain attack.

Discovery of the S3 Bucket Misconfiguration

The Varonis researcher, Orin Pozner, identified the insecure S3 bucket and its permissions. The vulnerability allowed any user with a valid AWS account to modify the ‘gainsight-px’ JavaScript file. This script is designed to be embedded by Gainsight’s customers into their own applications to deliver product experience functionalities. By modifying this central file, an actor could distribute malicious code to all end-users of the client applications that integrated the script.

To confirm the vulnerability, the Varonis team executed a proof-of-concept. The researcher modified the JavaScript file to include a benign popup alert. This altered script was then successfully served to Varonis’s own Gainsight PX environment, demonstrating that the attack vector was viable and that custom code could be injected and executed on customer platforms.

Gainsight’s Response and Remediation

Following the discovery, Varonis reported the vulnerability to Gainsight. According to the report, Gainsight’s security team remediated the misconfiguration within two hours of being notified. Gainsight’s Chief Information Security Officer (CISO), Ben Mussi, confirmed the fix. Mussi stated that the issue was limited to a development environment for the PX product and was related to an S3 bucket misconfiguration.

An internal investigation conducted by Gainsight found no evidence of any malicious activity beyond the proof-of-concept demonstrated by the Varonis researcher. The CISO also affirmed that no customer data was impacted as a result of the vulnerability. The prompt action by Gainsight prevented the exploitation of the flaw.

Source: https://www.infosecurity-magazine.com/news/new-gainsight-supply-chain-hack/