02/23/17 The site is down for maintenance. We are actively working to get it redeployed.

The Blend platform makes it easy for borrowers to apply for a mortgage from any desktop, tablet, or mobile device. Also, lenders can work in parallel and follow up instantly with additional requests and information.

Since the Blend platform must collect, manage, and protect sensitive user data, such as PII and imported bank account data, we strive to ensure that the platform is as secure as possible. As such, we value (and reward) the responsible disclosure of any vulnerabilities to us.

Targets

In scope

Out of scope

Any domain/property of Blend or its customers not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization of findings.

Background Information

The Blend platform is composed of an AngularJS/Express.js front-end and several Express.js microservices connected to various backend databases. The AngularJS/Express.js front-end contains a lender view, which allows lenders to manage loans in the system, and a borrower view, which allows borrowers to complete a mortgage loan application. Lender accounts can only be created by an authorized Admin, but borrower accounts can either be created through self-registration or an invitation email.

Focus Areas

  • Authentication bypass
    • Vertical (e.g. obtain lender privilege from borrower account, or admin privilege from lender account)
    • Horizontal (e.g. obtain other borrower session from one borrower session, or lender-lender)
  • Sensitive data exposure (unauthorized disclosure of loan information or other sensitive user data)
  • “root” access to underlying server(s)

Access

  • Create a borrower account by going to the target and clicking Sign Up.
  • The Blend platform allows you to connect to third party bank accounts. Use these credentials to test the behavior.
    • Bank account credentials:
      • user/pass: blend_test / blend_good
      • Two Factor Auth: 1234 or “tomato”
    • SSN:
      • any 9-digit number.

Scanning

Scanning is not permitted since the Blend platform is hosted behind an AWS ELB (AWS policy).

Rules

This bounty follows Bugcrowd’s standard disclosure terms.