Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

⚠ The Push Code Login system could be abused for social engineering attacks #412

Closed
3 tasks done
zekroTJA opened this issue Mar 4, 2023 · 0 comments
Closed
3 tasks done

⚠ The Push Code Login system could be abused for social engineering attacks #412

zekroTJA opened this issue Mar 4, 2023 · 0 comments
Assignees
@zekroTJA
Labels
bug Something isn't working critical Something breaking vulnerability
Milestone
Release v1.39.0

Comments

@zekroTJA
Copy link
Owner

zekroTJA commented Mar 4, 2023

Type

Authorization Bypass

Instances

  • Canary
  • Stable
  • Self-Hosted

Description

The Push Login code system could be used to phish logins of other users by convincing the victim to send a login code from your Browser session into the DMs of shinpuru with their Discord login. This would log in the attacker with the authentication of the victim user.

This can be circumvented by adding a message which must be accepted before getting logged in which warns that you should never enter any login codes sent by other users.

Steps to Reproduce

Attacker side

  1. Open the login page
  2. Copy the authentication code
  3. Send the code to someone and convince them to send the code to shinpuru via DM

Victims side

  1. Copy the sent login code
  2. Enter it into the DMs of shinpuru

Now, the attacker is logged in as the user who entered the code.

Attachments

No response
@zekroTJA zekroTJA added bug Something isn't working critical Something breaking vulnerability labels Mar 4, 2023
@zekroTJA zekroTJA self-assigned this Mar 4, 2023
@zekroTJA zekroTJA added this to the Release v1.39.0 milestone Mar 4, 2023
zekroTJA added a commit that referenced this issue Mar 4, 2023
@zekroTJA
update pushcode login [#412]
a377340 
- add accept message before logging in
- some more minor fixes and optimizations
- add API docs for pushcode endpoint
zekroTJA added a commit that referenced this issue Mar 4, 2023
@zekroTJA
upadte auth push code generation [#412]
74335cf
@zekroTJA zekroTJA closed this as completed Mar 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zekroTJA zekroTJA

Labels
bug Something isn't working critical Something breaking vulnerability
Projects
None yet
Milestone
Release v1.39.0
Development

No branches or pull requests
1 participant
@zekroTJA