Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential Security Issue #1687

Open
huntr-helper opened this issue May 23, 2021 · 14 comments
Open

Potential Security Issue #1687

huntr-helper opened this issue May 23, 2021 · 14 comments
Labels
security

Comments

@huntr-helper
Copy link

👋 Hello, we've received a report for a potential high severity security issue in your repository.

Next Steps

1️⃣ Visit https://huntr.dev/bounties/1-other-hackmdio/codimd for more advisory information.

2️⃣ Sign-up to validate or speak to the researcher for more assistance.

3️⃣ Propose a patch or outsource it to our community.

Confused or need more help?

  • Join us on our Discord and a member of our team will be happy to help! 🤗

  • Speak to a member of our team: @JamieSlome

This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.
@jackycute
Copy link
Member

jackycute commented May 25, 2021
edited

I don't quite get it, if you found any security issue, you can just report here as issue.
It's ok to disclose here instead of browsing another bug bounty site.

@jackycute
Copy link
Member

Feel free to reopen or open another issue if you disclose the details.

@JamieSlome
Copy link

@jackycute - we are currently doing this as many maintainers have asked that reports are kept private, until they can validate the report.

I will post the disclosure details here...

@JamieSlome
Copy link

✍️ Description

The /exportAllNotes endpoint does not require any CSRF token validation. This could be used force download account data and spoof users.

🕵️‍♂️ Proof of Concept

  1. Login to user account.
  2. Create the following file and open in browser. Click on the link.
<html>
<body>
<a href="https://hackmd.io/exportAllNotes">Download</a>
</body>
</html>
  1. This downloads user's data from hackmd. An attacked can then spoof the user to upload this file into their server.

💥 Impact

Private information leakage.

@jackycute jackycute reopened this May 25, 2021
@JamieSlome
Copy link

JamieSlome commented May 25, 2021
edited

The platform also allows the maintainer to get paid for validating, and confirming patches against advisories.

Plus, we mediate and assign CVEs if needed.

@jackycute
Copy link
Member

jackycute commented May 25, 2021
edited

Thanks for reporting @JamieSlome.
However, creating a link that let user download their data is the same as they did in the profile menu.
The downloaded zip should only be accessible in their own filesystem, I don't see a big concern that user will leak their data else.

Also, there is no way we can add CSRF for HTTP GET method.

@oomb
Copy link

oomb commented May 25, 2021

Hey @jackycute, let me put forward the issue in a clearer way. Say that a legitimate user is logged on to their account. And he visits a malicious page at attacker.com with this content.

<html>
<body onload='window.open("https://hackmd.io/exportAllNotes");'>
        To verify that you are a human, upload the zip file that has been downloaded from our website now.
</body>
</html>

A normal user, who doesn't know what has happened will definitely fall into this attack since he never has requested a file download from codemd.

@oomb
Copy link

oomb commented May 25, 2021

Also, there is no way we can add CSRF for HTTP GET method.

You could add a CSRF token to the link before download is initiated.
The download link can be given as /exportAllNotes?csrf=<random_string>. The random string will not be known to the attacker, and must be verified on server side.

This would prevent attacker from initiating downloads from the server.

@jackycute
Copy link
Member

Hey @jackycute, let me put forward the issue in a clearer way. Say that a legitimate user is logged on to their account. And he visits a malicious page at attacker.com with this content.

<html>
<body onload='window.open("https://hackmd.io/exportAllNotes");'>
        To verify that you are a human, upload the zip file that has been downloaded from our website now.
</body>
</html>

A normal user, who doesn't know what has happened will definitely fall into this attack since he never has requested a file download from codemd.

This is more like a phishing attack than a CSRF issue.

Since download all notes should be safe, we can consider changing exportAllNotes API to POST method and reserve ability to add CSRF token.

@oomb
Copy link

oomb commented May 25, 2021

Yeah. You are right. That would be a good fix for this. Can you consider marking this disclosure verified here as well?

/cc @JamieSlome

@jackycute
Copy link
Member

jackycute commented May 25, 2021
edited

Yeah. You are right. That would be a good fix for this. Can you consider marking this disclosure verified here as well?

/cc @JamieSlome

I would love to, can you modify the vulnerability to reflect what we've discussed here? It's potential phishing user data and severity should be lower in my opinion.

@oomb
Copy link

oomb commented May 25, 2021
edited

I have updated the write-up as well as the CVSS score. Please let me know if you would like to suggest any changes.
Thanks.

@jackycute
Copy link
Member

Verified, found a typo though. codemd -> CodiMD.
截圖 2021-05-25 下午10 17 01

Thanks for reporting.

@AkechiShiro
Copy link

Is this security issue still relevant ? I don't know if a fix has been implemented ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jackycute @AkechiShiro @JamieSlome @huntr-helper @oomb