Founded by President Harry Truman in 1952, the U.S. National Security Agency is supposed to provide security through intelligence gathering, but what happens when it overlooks its own security?

A new report from Contrast Security Inc. today details just that: a security vulnerability found in SkillTree, an open-source NSA training platform maintained on GitHub. The vulnerability exposed systems to cross-site request forgery attacks, allowing attackers to modify training content without proper authorization.

SkillTree was launched in 2020 and was pitched at the time as an internally developed open-source solution for gamifying user training. The vulnerability allowed attackers to target logged-in administrators and modify training content such as videos, captions and text without proper authorization.

The vulnerability was discovered through Contrast Security’s AutoAssess project and was found to be due to the lack of CSRF protections in SkillTree, particularly in endpoints that handle state-changing operations. CSRF protections are security measures that ensure requests made to a web application are legitimate and originate from the authenticated user that are typically implemented using unique tokens to prevent unauthorized state changes.

Tracked as CVE-2024-39326, the vulnerability was discovered on June 12 and rated as moderate in severity. According to the report, it exploits the absence of unique transaction tokens in multiple endpoints, which leaves the platform susceptible to unauthorized state changes.

In one example, attackers can manipulate the “/admin/projects/{projectname} /skills/{skillname}/video” endpoint to alter training materials, compromising the integrity of the training content provided by SkillTree. The manipulation can include uploading unauthorized videos or changing captions and transcripts, leading to potential misinformation or disruption of the training process.

After identifying the vulnerability, Contrast Security informed the NSA maintainers, who subsequently released a patched version of SkillTree on July 2. The fix involved implementing Spring Security’s CSRF protection, which uses the CSRF Token pattern to prevent such attacks.

While the vulnerability may only be ranked with medium severity, the fact that the U.S. chief international spying agency can’t get its security right highlights the increasing risks associated with open-source projects on platforms such as GitHub.

However, Contrast founder and Chief Technology Officer Jeff Williams points out in the report that there is “no point throwing rocks at the NSA over this,” as we are “all living in glass houses as it is.”

“Healthy security means that you will find vulnerabilities and fix them,” Williams notes. “This isn’t the story of a mistake. It’s the story of doing it right — by using great tools and fixing issues quickly.”

Image: Pixabay