At huntr, we love to celebrate the incredible talent in our community who are helping secure the future of AI/ML systems. Today, we’re excited to spotlight Ileana Barrionuevo, known as @acciobugs on huntr, from Córdoba, Argentina. In this blog, we’ll dive into Ileana’s journey into AI/ML bug bounty hunting, her experience with huntr, and how she recently discovered an Improper Access Control vulnerability in the lunary-ai/lunary project—allowing unauthorized privilege escalation and manipulation of projects across different organizations.
Hi, I'm Ileana Barrionuevo (@acciobugs) from Córdoba, Argentina! I work as a security engineer and also teach Secure Software Development at the Universidad Tecnológica Nacional - Facultad Regional Córdoba. As a security researcher, I focus on web and mobile vulnerabilities. I’m a big fan of CTFs and enjoy speaking at InfoSec conferences. Last year, I had the incredible experience of speaking at DEFCON for the first time!
I'm a big fan of code review, so when I saw new AI/ML projects to analyze on huntr, I thought it was worth checking if security had been considered, especially since many are used by big companies. I was surprised to discover basic security bugs, which made it clear that these projects need serious code inspection!
I particularly enjoy deploying the project locally, debugging the app to understand its behavior, and conducting a black-box pentest. I then complement that analysis with white-box testing, as I have access to the source code.
I discovered this platform in October 2020 and began testing various GitHub repositories. At first, I thought finding security bugs through source code would be too difficult. But then I shifted my approach and decided to run a project locally just to see what would happen—and I don’t regret it.
Understanding why things work the way they do is key to helping developers resolve these issues, which is why I love spending my free time hunting for vulnerabilities in the source code!
Recently, @acciobugs identified a significant Improper Access Control (CWE-284) vulnerability in lunary-ai/lunary, an open-source platform designed to manage AI projects across multiple teams. This vulnerability allowed users to manipulate project and user assignments across different organizations, leading to unauthorized privilege escalation.
Here’s a look into @acciobugs' journey in finding and exploiting this vulnerability.
Due to improper backend controls, a member with team management permissions could:
This was all possible because the backend did not properly validate project identifiers when performing these actions, leaving the system open to abuse.
Let’s focus on case C, which demonstrates how an attacker can manipulate other organization members into joining different projects and escalate their privileges.
1. Play with the platform and understand how it works.
The platform's structure manages:
Organization > Project > Owner > Team members (Admins, Viewers, Prompt Editors, etc.).
2. Send a request to change a member from another organization to a project that doesn’t belong to them, or even into a project from your own organization. By modifying the project identifier in the request, you can assign roles such as Admin or Owner to that user, giving them full permissions in the project.
Here’s the modified request:
3. See the changes applied.
After sending the request, the platform accepts the project changes without validating the user's organization. The affected user ends up in a project they don’t own, and the attacker successfully escalates their privileges to an Admin or Owner role.
Here’s the result:
This vulnerability allowed malicious actors to manipulate users across organizations, creating significant inconsistencies and security risks. By escalating privileges to roles like Admin or Owner, attackers could gain unauthorized access to projects, posing a severe threat to the platform’s integrity.
The issue was rooted in the backend’s failure to validate project IDs in the request:
Thanks to @acciobugs’ report, the lunary-ai/lunary team was able to address this vulnerability quickly, preventing further exploitation. This case highlights how improper access control can lead to serious security issues, emphasizing the need for strict backend validation in multi-organization platforms.
Feeling inspired by @acciobugs' impressive find? Join huntr’s community of hackers, researchers, and tech enthusiasts committed to securing AI and open-source software. Whether you're a seasoned pro or just getting started in bug hunting, there's a place for you here. Explore our Beginner’s Guide to AI/ML Bug Hunting and start uncovering vulnerabilities with huntr today!