The vulnerability of the prototype pollution in Ember.js was accidentally discovered by IB specialist Masato Kinugava during another investigation. He found her in one of the domains belonging to Google and reported her through the Google Bug Bounty Program program. Having studied the vulnerability in more detail, the researcher realized that her root cause lies in the framework Ember.js.
In the case of a framework, the prototype pollution allows attackers to conduct XSS attacks and steal user information.
According to Kinugava, if the application transmits unverified input in some functions of setting the properties of objects Ember.js, this can lead to pollution of prototypes. In fact, this means that the attacker can use the function of setting the property to circumvent the prototype of the object and make changes to other parts of the JS program, including the basic object from which all other objects occur.
In order to use this vulnerability, the attacker will need a script gate-a legitimate fragment of a JS code on a web page that, using CSS-selectors, reads the contents of the DOM elements and then processes them in such a way that the malicious script starts.
Summing up, Kinugava recommended that the developers carefully study how the URL parameters are processed. According to him, this should help better find such vulnerability.