Another Exploit to crash browsers

[WebSavvyDude]

Rocket.Chat Version: 0.56.0 Running Instances: 1 DB Replicaset OpLog: Node Version:

Have a situation where a user was scrolling hundreds of blank messages and locking up everyones browsers. He started off his message with a bunch of "@ here "

[WebSavvyDude]

If anyone knows a way to permanently block "@ here" from being used that would be very helpful. This loser is non stop doing it.

UPDATE: I filtered out the word @ to help. But obviously that shouldn't be a long term solution

[localguru]

How can I reproduce it? Did some tests with 0.57.1, but can't reproduce it.

[WebSavvyDude]

I have no idea how to but its happening now even with the @ blocked. Constant flooding and locking up the browser.

I am on 0.56.0 though so not sure that makes a difference.

@localguru i sent you an email with the site url so you can see it in action

[WebSavvyDude]

He is using

@here @here @here @here @here @here @here <br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>

repeatedly flooding that and locking up everyones browser.

I also found this in the logs.

[localguru]

He is posting just a @here message with I guess the maximum allowed message size. Try to reduce the "Maximum Allowed Message Size".

[WebSavvyDude]

He is able to continuously log in as different guest names and even some of his names show up blank on the screen (see screenshot). I have the maximum allowed message size all the way down to 20 and its not helping

When i click "reply" on the blank message, i can only then see what username he is using.

UPDATE: The blank names were probably because he did a spam for each line so his name was not actually blank. They were just grouped together so please ignore that pic.

[localguru]

aside from the issue what do you expect on a site you are providing ;)

[WebSavvyDude]

Excuse me I dont understand? @localguru

Our site provides a place for users to chat.

What am i providing and what does this have to do with the exploit?

[localguru]

@WebSavvyGuy an anonymous "teen chat" with ads to a dubious live cam site, right. ;) And you are wondering about "losers" hanging on your site? Don't misunderstand me I don't judge you; everybody in his own world. But I guess that's the user base you have to live with.

[WebSavvyDude]

Well nothing illegal on the site I can assure you. Just bringing up this exploit.

Whether these losers go there or not, the fact is they are still out there and can pounce on anybody's Rocket Chat. Saying our site attracts them is being a bit naive. The fact is the exploit is there. Any half popular site could be easily affected.

If Rocket Chat goes more mainstream that's just the nature of the beast. If they want to keep their product within an office environment with a few people, I am sure nobody will be complaining but i am sure that is not their intentions.

[localguru]

You are right, if there is a bug, it has to be fixed. I personally don't agree with your project at all, but I'll split up that from the technical site.

[WebSavvyDude]

Yes, please do. You can internet police elsewhere. Github is definitely not the place.

[graywolf336]

So, what are the exact steps to reproduce? Aka how does @WebSavvyGuy reproduce this in a new instance of Rocket.Chat?

[WebSavvyDude]

@graywolf336 No idea how to reproduce it. Just an exploit that i witnessed and it clearly worked in bringing the browser window to its knees. Limiting the number of characters (including br's) or messages posted in a row (flood control) would help this issue if we can get that.

Tracking the IP down of the culprit was a bit difficult but doable. Talked to @geekgonecrazy about possibly getting IP address feature so we can ban/report users doing this.

[TwizzyDizzy]

Well... what to do about this issue? Obviously we do not have enough information to reproduce it? Banning / reporting is already part of other issues (I think, yet still if it's not, the issue at hand would not be the right place for it).

So either we are able to narrow this down or I'll vote for closing this issue.

Cheers & thanks for any additional information anybody might be able to provide Thomas

[WebSavvyDude]

Rocket Chat has alot of exploits.

I’m hearing its related to the API.

I don’t care either way. Vote to your hearts content LOL. I’ve stopped using Rocket.Chat long ago due to all the exploits that is possible on this application.

Have it closed, I expect nothing less from you.

[TwizzyDizzy]

Rocket Chat has alot of exploits.

This sentence provides no additional information - even if it was true.

I’m hearing its related to the API.

If you could elaborate, I'd be rather thankful.

I don’t care either way. Vote to your hearts content LOL. I’ve stopped using Rocket.Chat long ago due to all the exploits that is possible on this application.

Also a rather non-productive statement. What do you expect to achieve by such destructive behaviour?

Have it closed, I expect nothing less from you.

My aim is not to close the issue for the sake of closing it, but to find the issue. If we can't narrow it down or reproduce it, though, it doesn't make much sense to leave the issue open. A problem that can't be reproduced (and nobody willing to try to do so) is the same as a problem that does not exist.

Thanks anyway for your productive statements.

Cheers Thomas

[WebSavvyDude]

Sorry not feeling like getting into yet another debate.

If i had an answer about the API exploits i’d fix it myself.

I have no further information. Rocket.Chat has alot of exploits that I had seen and was just too tired to open issues about because I know nothing would have been done to fix it.

Most users will never see these exploits as they run RC for very small offices. We tried to run RC on a very popular website and had no success at all with both performance and the vulnerability of exploits.

That’s pretty much all I have to say.

I only replied because of your eagerness to close or turn away from these very real issues of exploiting that RC goes through. I believe you were also the one against IP logs. (no lets not go there again)

Thanks anyways.

[geekgonecrazy]

An API that can be abused by abusive users can't really be classified as a vulnerability. We definitely are not super well suited for anonymous chat.

Sadly many of the issues I think you have encountered were cases that we could not reproduce.

Sad to hear you aren't using.. but with your use case it definitely makes sense.

But as @TwizzyDizzy said very well defined issues, with steps defined to easily reproduce (not just in your chat only) .. are key.

Vague issues that are hard to get to bottom of. Like with any project... Will not stay at top of stack. Well defined and easy to reproduce will always win out.

Just the nature of software development. If I can spend 30 minutes fixing an issue I will pick it over one I have to spend undefined amount of time just to reproduce before I can even start fixing.

@TwizzyDizzy I think focus would definitely be best suited on spam control related issues

[WebSavvyDude]

Thanks Aaron. You have always been helpful in the past and i’m grateful for that. It just simply didn’t work out in the direction it was headed.

Too much focus on new features rather than making the product more stable especially for large scale use. I do understand that focus though... as this app is more suited for smaller scale office use.