Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Two major security vulnerabilities? #4

Open
gbutt opened this issue Mar 12, 2021 · 6 comments
Open

Two major security vulnerabilities? #4

gbutt opened this issue Mar 12, 2021 · 6 comments

Comments

@gbutt
Copy link

gbutt commented Mar 12, 2021

Hey Clifford,

I was reviewing your implementation, and i think it has two security vulnerabilities. One of them I consider to be a major security vulnerability.

  1. It stores the private key for recaptcha in javascript and passes it to Salesforce for server-side verification. This is very bad because I can easily get your private key by looking at the Network log in Chrome Dev Tools. This is a major vulnerability and that can be fixed easily by storing the private key within Salesforce and retrieving it in apex.
  2. It does not enforce recaptcha verification with submission of form data. Basically it is not implemented correctly and an attacker can bypass it with ease. We had a similar attack on our systems not long ago, and we were also verifying the recaptcha in a separate callout prior to form submission. I was able to duplicate the attack in about 10 minutes, spam our case queue, and consequently send automated emails to whatever email addresses I chose, all from our company's trusted domain.

I am open to begin wrong about these two vulnerabilities, but I feel it would be irresponsible of me to not inform you. Thanks for understanding.
@ndsintros ndsintros mentioned this issue Mar 15, 2021
Open
@clifford-fra
Copy link
Owner

Hey, thanks for the information.

I'm fully aware of these security vulnerabilities and I made the trade-off with easy "in-one-place" configuration. The main purpose of this component is to avoid random spam by bots.

The first security issue can be mitigated easly by hardcoding the private key in apex or storing the key in a Custom Metadata Type. I will update the FAQ to encourage others to use this approach.

Regarding the 2nd issue: Can you outline the issue a bit more?

@akshith0695
Copy link

Hi Clifford,

There is an issue with this reCaptcha being used inside a flow and the flow being used in a public community. The issue is that the init method in reCaptcha is called twice. So the apex class gets called twice and sometimes the response in the second call comes as false and first call comes as true. Although the reCaptcha says success on the front end it does not allow to go the next page

@sfscgjohnson
Copy link

Regarding the 2nd issue: Can you outline the issue a bit more?

I think we have been hit by the issue listed in the second issue.
Basically, as @gbutt says, because there is no server-side validation during the transaction it is vulnerable to attack.

Google ReCaptcha is on your form. You don't enable the Submit button unless they check it.
This isn't enough as an attacker can post to your Submit button directly bypassing the ReCaptcha. Unless the user sends the ReCaptcha verification token it received back from Google for verification from the server-side the Attacker can do that themselves making the submit button think reCatpcha /isHuman = true.
To fix it you have to make it so that during the save of your record / form values to Salesforce it is done through server-side code only.

Here are some pointers.

https://www.infallibletechie.com/2021/09/how-to-pass-parameter-from-flow-to.html
and the Server Side Code foudn on this page:
https://www.learnexperiencecloud.com/s/article/Implementing-reCAPTCHA-in-Community-Cloud#ServerSideValidation

@benedwards44 benedwards44 mentioned this issue Feb 10, 2022
Open
@benedwards44
Copy link

benedwards44 commented Feb 10, 2022
edited

In regards to vulnerability 2, we had the same issue where our pen testing was easily able to bypass the reCAPTCHA and submit to the server (eg. carry on the Flow) without a user ever validating using the reCAPTCHA component.

I've raised a PR here:
#6

Which addresses this.

In regards to #1, we used a Custom Setting to handle the Secret as well but have left this separate to this this.

@patmcclellan
Copy link

See this blog post that avoids the vulnerabilities, AND doesn't use an iframe. https://www.learnexperiencecloud.com/s/article/Implementing-reCAPTCHA-in-Community-Cloud

@Ashpork Ashpork mentioned this issue Sep 26, 2023
Open
@thangeshkathiresan
Copy link

I have added the Aura component to the flow. The flow is embedded in the external website using Lightning Out. The flow is loading but this Aura component is not loading and is getting the below error.
Refused to frame 'https://{org}.sandbox.my.site.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

I have added the Trusted sites, Trusted Domains, and CORS. But still getting the above error. What needs to be done to fix this error?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@gbutt @benedwards44 @patmcclellan @clifford-fra @akshith0695 @sfscgjohnson @thangeshkathiresan