globaleaks / globaleaks-whistleblowing-software

GlobaLeaks is a free and open-source whistleblowing software enabling anyone to easily set up and maintain a secure reporting platform.
https://www.globaleaks.org
Other
1.25k stars 274 forks source link

Exception API Phishing Vulnerability #2181

Open evilaliv3 opened 6 years ago

evilaliv3 commented 6 years ago

This to keep track of the remediation suggested by team subgraph in relation to a possible Phishing Vulnerability on the Exception API as part of their recent security audit: https://github.com/globaleaks/GlobaLeaks/wiki/Security-Audit-5:-Team-Subgraph

Discussion The application allows unauthenticated access to the exception REST API endpoint. This API will send exception emails to the users configured to receive notifications. The exception emails are generated based on information supplied to the API by the user. This lets users inject potentially misleading or malicious content into exception emails. The handler for the exception API allows unauthenticated access by default (the check_roles direc- tive is set to a wildcard value).

Impact Analysis This issue can be exploited to launch phishing attacks against users configured to receive exception notification emails. As they will appear to come from the application, and may even be encrypted if encrypted notifications are configured, the target of the phishing attack may trust the email contents. The emails will still include exception information so in all likelihood an attacker would exploit this to trick a user into visiting a malicious link or provide misleading information about the state of the application. The errorUrl field of the exception request allows unformatted input to be injected in the notification emails.

Remediation Recommendations Our understanding of this API is that it is meant to capture client-side exceptions. Therefore, it may be by-design that exceptions generated by unauthenticated users are captured. This makes the issue trickier to address. A compromise may be to only enable unauthenticated exceptions to be generated in development mode and to require authentication in production mode. GlobaLeaks could also try to filter or structure the exception information in such a way that it cannot be easily manipulated by the user. This may also be challenging to implement. Another option is to advise the recipient of the exception email that the report may contain untrusted information delivered from the client.

evilaliv3 commented 6 years ago

After having discussed with the team Subgraph about the reasons for an unauthenticated exception handler the following has been identified as valid remediation to add a simple text on top of the message sent via email to administrators when an exception is notified.

The exception notification should contain a trailer message that clarify that the exception content may contain malicious content or content specifically forged for phishing reasons and suggest to consider that content as possibly malicious.