jackycute
commented
3 years ago I don't quite get it, if you found any security issue, you can just report here as issue. It's ok to disclose here instead of browsing another bug bounty site.
Open huntr-helper opened 3 years ago
jackycute
commented
3 years ago I don't quite get it, if you found any security issue, you can just report here as issue. It's ok to disclose here instead of browsing another bug bounty site.
jackycute
commented
3 years ago Feel free to reopen or open another issue if you disclose the details.
JamieSlome
commented
3 years ago @jackycute - we are currently doing this as many maintainers have asked that reports are kept private, until they can validate the report.
I will post the disclosure details here...
JamieSlome
commented
3 years ago The /exportAllNotes endpoint does not require any CSRF token validation. This could be used force download account data and spoof users.
<html>
<body>
<a href="https://hackmd.io/exportAllNotes">Download</a>
</body>
</html>Private information leakage.
JamieSlome
commented
3 years ago The platform also allows the maintainer to get paid for validating, and confirming patches against advisories.
Plus, we mediate and assign CVEs if needed.
jackycute
commented
3 years ago Thanks for reporting @JamieSlome. However, creating a link that let user download their data is the same as they did in the profile menu. The downloaded zip should only be accessible in their own filesystem, I don't see a big concern that user will leak their data else.
Also, there is no way we can add CSRF for HTTP GET method.
oomb
commented
3 years ago Hey @jackycute, let me put forward the issue in a clearer way. Say that a legitimate user is logged on to their account. And he visits a malicious page at attacker.com with this content.
<html>
<body onload='window.open("https://hackmd.io/exportAllNotes");'>
To verify that you are a human, upload the zip file that has been downloaded from our website now.
</body>
</html>A normal user, who doesn't know what has happened will definitely fall into this attack since he never has requested a file download from codemd.
oomb
commented
3 years ago Also, there is no way we can add CSRF for HTTP GET method.
You could add a CSRF token to the link before download is initiated.
The download link can be given as /exportAllNotes?csrf=<random_string>. The random string will not be known to the attacker, and must be verified on server side.
This would prevent attacker from initiating downloads from the server.
jackycute
commented
3 years ago Hey @jackycute, let me put forward the issue in a clearer way. Say that a legitimate user is logged on to their account. And he visits a malicious page at attacker.com with this content.
<html> <body onload='window.open("https://hackmd.io/exportAllNotes");'> To verify that you are a human, upload the zip file that has been downloaded from our website now. </body> </html>A normal user, who doesn't know what has happened will definitely fall into this attack since he never has requested a file download from codemd.
This is more like a phishing attack than a CSRF issue.
Since download all notes should be safe, we can consider changing exportAllNotes API to POST method and reserve ability to add CSRF token.
oomb
commented
3 years ago Yeah. You are right. That would be a good fix for this. Can you consider marking this disclosure verified here as well?
/cc @JamieSlome
jackycute
commented
3 years ago Yeah. You are right. That would be a good fix for this. Can you consider marking this disclosure verified here as well?
/cc @JamieSlome
I would love to, can you modify the vulnerability to reflect what we've discussed here? It's potential phishing user data and severity should be lower in my opinion.
oomb
commented
3 years ago I have updated the write-up as well as the CVSS score. Please let me know if you would like to suggest any changes. Thanks.
jackycute
commented
3 years ago Verified, found a typo though. codemd -> CodiMD.
Thanks for reporting.
AkechiShiro
commented
11 months ago Is this security issue still relevant ? I don't know if a fix has been implemented ?
π Hello, we've received a report for a potential high severity security issue in your repository.
Next Steps
1οΈβ£ Visit https://huntr.dev/bounties/1-other-hackmdio/codimd for more advisory information.
2οΈβ£ Sign-up to validate or speak to the researcher for more assistance.
3οΈβ£ Propose a patch or outsource it to our community.
Confused or need more help?
Join us on our Discord and a member of our team will be happy to help! π€
Speak to a member of our team: @JamieSlome
This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.