- Status Closed
-
Assigned To
xlefloch - Private
Opened by monty099 - 14.07.2024
Last edited by xlefloch - 30.07.2024
FS#60 - On-click Delete any invitation in [admin.alwaysdata.com]
On-click Delete any invitation in [admin.alwaysdata.com]
*Summary:*
The [Create My Own Site] web application system is vulnerable to a click grabbing attack that allows an attacker to trick the user into deleting invitations that they have sent or received without their knowledge.
*Reproduction steps:*
1. Send an invitation to another user.
2. Receive an invitation and try it on the other account.
3. Get the direct link to the invitation and add the /cancel/ command to the URL.
4. Create an HTML proof-of-concept file with the following content:
Programming Language
<a href="https://admin.alwaysdata.com/transfer/Invitation_Number/cancel/----">Click</a>
5. Host this HTML page or send it via link to the victim.
6. Once the victim clicks on the masked link, the invitation is deleted without their explicit consent or knowledge.
An attacker could use their location and attach an HTML file instead of sending a file that the user clicks.
I have sent a proof of concept:
https://admin.alwaysdata.com/support/77431/374245-bandicam%202024-07-14%2007-00-17-624.mp4
*Impact:*
The exploit allows the deletion of any invitation that the user has sent or reached another user without his consent.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
This report has been classified as invalid in accordance with our bug bounty program (https://help.alwaysdata.com/en/security/bug-bounty/). This bug does not qualify as an eligible security vulnerability. For this bug to be effective, you must know the recipient of the transfer as well as the ID of the transfer. Furthermore, canceling a transfer cannot be qualified as access to any data source.
Regards,
Hello,
I have to know the invitation number only, and I also clarified that the cancellation can be made from the invitee account and the invited user account.
And all this is done without the consent of the user, That's why this bug is considered valid.
"I have to know the invitation number only" Can you give me a link? I'll try to cancel it with my own account.
I noticed that you fixed the bug several days ago
you can see the proof of concept you sent
You exactly know what i meant,
having only the ID of the transfer is not enough to determine who has the rights to cancel it and that case has always been verified and your proof of concept does not indicate otherwise at all. Unless we send this link to every person on this planet in the hope of reaching the recipient.
Again, as stated in our program, which frames our commitment to security vulnerability research, this report is not eligible.
"having only the ID of the transfer is not enough to determine who has the rights to cancel it"
And really, as I said, the vulnerability impact cannot appear without the knowledge of one of the users who invited or who was invited.
I mean, you're right about what you said.