search

bartervg / barter.vg

Track and hold discussion on Barter.vg bugs, enhancements, and other issues
https://barter.vg
MIT License
20 stars 4 forks source link

Counter offer could hide other offer #299

Open bartervg opened 1 year ago

bartervg commented 1 year ago

Describe the bug

Manipulating a new offer can hide another offer on /o/ page, even if failed and disputed.

When proposing an offer, the variable counter_id refers to the countered offer's ID. The offer page uses this variable to consolidate all counter offers into a single offer. However, this variable is a user input and can be set to an arbitrary value. Before saving this value, there is validation that the counter ID refers to an offer that was sent to the countering user, but there is no validation of the offer's status. By setting the counter ID to any other offer ID, the sender can effectively hide an accepted, completed, or failed offer from the /o/ section.

The "hidden" offer is still accessible via its URL, in the counter offer, and in the feed activity, but it will no longer appear in /o/.

Steps to reproduce the bug

  1. Create a new offer
  2. Manipulate the counter ID to refer to another offer, even if that offer has failed
  3. The target offer is no longer visible in /o/

Expected behavior

The target offer should remain visible. Users should not be able to counter offers that are no longer proposed/pending. While disputes are displayed in multiple places, this bug could allow users to manipulate the visibility and status of offers that they should not affect.

Additional context, device information (OS & Browser) if applicable

Reported and demonstrated by @Revadike for a bug bounty on 2022-11-12.

bartervg commented 1 year ago

Now before saving counter_id, a new offer checks if the supposed countered offer is proposed and pending. If not, counter_id is assumed to be invalid, and the offer creation proceeds, but as a new offer rather than as a counter offer.

Clicking < Counter creates a feed activity line. For example,

28 minutes ago ellipsism countered offer from Barter.vg bot with offer.

This activity appears even if the counter offer is subsequently cancelled. This gives additional visibility to counter offers and addresses issue #285. Given the potential increase in activity, the number of more notifications... increased from 23 to 33.

On the offer page, links to the countered offer appear next to user name.

to Barter.vg bot countered

Even without an exploit issue, navigating counter offers was difficult.

Within a counter offer, there continues to be a link to the original offer that was countered. Although I moved it to various locations, I could not find a better spot and it remains in the same place. I did make small changes ( countered ✉ ) to the title and link text.