We pwned X, Vercel, Cursor, and Discord through a supply-chain attack (gist.github.com)

A group of cybersecurity enthusiasts, including 16-year-old Daniel, discovered critical cross-site scripting (XSS) vulnerabilities in Mintlify, an AI documentation platform used by major companies like Discord, Vercel, and X (Twitter). They identified a flaw in how Mintlify's endpoints handled documentation, which allowed them to inject malicious scripts into documentation pages. By exploiting a poorly secured endpoint, they created an SVG file with embedded JavaScript, enabling them to execute XSS attacks that could steal user credentials by sharing a single link. This incident underscores the risks associated with supply chain security, especially as companies increasingly rely on third-party platforms for their services. The vulnerabilities affected a significant number of Mintlify’s customers, demonstrating how compromising one platform can have far-reaching implications for many organizations. The researchers received around $11,000 in bug bounties for their responsible disclosure, highlighting the importance of proactive security measures in the AI and technology sectors.