Security Probe Uncovers Critical Flaw
On a Tuesday in May, at 9:12 AM, a routine automated security probe flagged an anomaly. This daily drift query, designed to scan all public objects filtered by anonymous access, had been running for three weeks without issue. This morning, however, it returned a line that should not exist. The probe's output pointed to a backup table intended for Personally Identifiable Information (PII) data, a table that was unexpectedly accessible and, more critically, had a SECURITY DEFINER function associated with it. This setup is a significant security risk, as SECURITY DEFINER functions execute with the privileges of the function's owner, not the user calling it. When combined with EXECUTE TO PUBLIC, it means anyone can execute these functions, potentially gaining elevated privileges.
The implications were immediate. This wasn't just a misconfiguration; it was a potential gateway. The function in question was designed to interact with sensitive data, and its `SECURITY DEFINER` status meant that any user, even an unauthenticated one, could trigger it. The fact that it was associated with a PII backup table amplified the concern. This incident was the first of three critical security vulnerabilities discovered in Supabase within a short period, all stemming from a common root cause: the improper use and inheritance of `SECURITY DEFINER` permissions, often combined with `EXECUTE TO PUBLIC` directives.
The Root Cause: Unchecked Privilege Escalation
The core of the problem lies in how Supabase manages database functions and permissions. PostgreSQL, the database underlying Supabase, supports `SECURITY DEFINER` functions. These functions are powerful because they execute with the privileges of the user who created them, not the user who invokes them. This is useful for tasks that require elevated permissions, such as managing system configurations or performing administrative operations. However, if not managed with extreme care, they can lead to severe security breaches.
The critical vulnerability arises when a `SECURITY DEFINER` function is also made executable by the public role, or inherits such permissions indirectly. This creates a scenario where any user, including anonymous users, can execute a function that runs with the privileges of a more powerful database user (often the Supabase project owner or a privileged service account). In essence, it's like giving a master key to everyone who walks into a building, allowing them to open any door, regardless of their own access level.
The specific incidents identified by the security probe involved functions that, due to their `SECURITY DEFINER` nature, could potentially access or manipulate sensitive data. The `EXECUTE TO PUBLIC` aspect meant that the defense-in-depth strategy was bypassed entirely. Developers often use `SECURITY DEFINER` to encapsulate complex logic or to grant specific, limited permissions for certain operations. The mistake occurs when these functions are inadvertently exposed to the public, or when their ownership and execution context are not rigorously audited. This oversight transforms a tool for controlled privilege delegation into an open invitation for exploitation.
Incident 1: The PII Backup Table
The first incident, uncovered by the automated probe, involved a `SECURITY DEFINER` function associated with a PII backup table. The function itself might have had legitimate administrative purposes, such as data archival or integrity checks. However, its `EXECUTE TO PUBLIC` status meant that any user could invoke it. This raised immediate alarms about potential unauthorized access to sensitive personal data. The function could have been exploited to exfiltrate data, modify records, or even delete critical information, depending on its specific implementation. The investigation into this incident confirmed that the function's definition allowed execution by any role, effectively bypassing Supabase's Row Level Security (RLS) policies that are typically designed to protect data.
The "So What?" Perspective
Developers using Supabase must audit all `SECURITY DEFINER` functions for unintended `EXECUTE TO PUBLIC` permissions. Review function ownership and ensure RLS policies are correctly applied, as these vulnerabilities bypass standard access controls. Expect Supabase to issue stricter guidelines or automated checks for function definitions.
These incidents highlight a critical vulnerability in Supabase's function execution model, allowing unauthorized privilege escalation via `SECURITY DEFINER` functions exposed to the public. The primary risk is unauthorized data access and modification. Users should immediately audit their Supabase projects for such misconfigurations.
This incident points to a potential systemic issue in Supabase's security posture, impacting trust for businesses handling sensitive data. Founders must assess the risk to their applications and consider if Supabase's security guarantees meet their compliance needs. The incident may spur competitors to highlight their more robust security models.
For creators building on Supabase, this means a critical re-evaluation of data security. Any application with user data is at risk if these functions are exploited. Understand that backend security is not just about RLS; it extends to how database functions are defined and secured.
The core data risk revolves around unauthorized access and manipulation of sensitive information, particularly PII. The `SECURITY DEFINER` functions can bypass typical data access controls, allowing for data exfiltration or corruption. This necessitates a deeper dive into database function security and auditing for any system handling sensitive datasets.
Sources synthesised
- 5% Match
