User Account Deletion and more via Clickjacking in heroiclabs/nakama

Valid

Reported on

May 24th 2022

Description

As nakama console is not restricted from being loaded in an iframe, clickjacking attack is possible.

Proof of Concept

Login to nakama console.
Save the following as an .html file and open it in the browser to see that the page loads into an iframe.

<iframe src="http://<ip-address>:<port>"></iframe>

Impact

Deletion of user accounts in User Management section.
Deletion or Banning of users in the User Accounts Deletion of Storage Objects and User Groups section and more.

While it impacts a number of features, adding a proper X-Frame-Options header in the response remediates all of the occurrences

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. a year ago

Niraj Khatiwada modified the report

a year ago

Niraj Khatiwada modified the report

a year ago

We have contacted a member of the heroiclabs/nakama team and are waiting to hear back a year ago

We have sent a follow up to the heroiclabs/nakama team. We will try again in 7 days. a year ago

A heroiclabs/nakama maintainer has acknowledged this report a year ago

Andrei Mihu

commented a year ago

Maintainer

Thanks for the report, we're looking into this and will respond in more depth as soon as possible.

Niraj Khatiwada

commented a year ago

Researcher

Is there any update?

Niraj Khatiwada

commented a year ago

Researcher

Here is a video POC: https://www.youtube.com/watch?v=uyC-6HpwX34

Niraj Khatiwada modified the report

a year ago

Niraj Khatiwada modified the report

a year ago

Niraj Khatiwada

commented a year ago

Researcher

I have removed the POC code added before as it required modification on a case by case basis to work. While the iframe code works to verify, here is a POC video.

Niraj Khatiwada

commented a year ago

Researcher

*POC video: https://youtu.be/1Vic7fY78jc

Niraj Khatiwada modified the report

a year ago

Niraj Khatiwada modified the report

a year ago

Andrei Mihu validated this vulnerability a year ago

Niraj Khatiwada has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Andrei Mihu marked this as fixed in 3.13.0 with commit 50642a a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. a year ago

Niraj Khatiwada modified the report

a year ago

Niraj Khatiwada modified the report

a year ago

We have contacted a member of the heroiclabs/nakama team and are waiting to hear back a year ago

We have sent a follow up to the heroiclabs/nakama team. We will try again in 7 days. a year ago

A heroiclabs/nakama maintainer has acknowledged this report a year ago

Andrei Mihu

commented a year ago

Maintainer

Thanks for the report, we're looking into this and will respond in more depth as soon as possible.

Niraj Khatiwada

commented a year ago

Researcher

Is there any update?

Niraj Khatiwada

commented a year ago

Researcher

Here is a video POC: https://www.youtube.com/watch?v=uyC-6HpwX34

Niraj Khatiwada modified the report

a year ago

Niraj Khatiwada modified the report

a year ago

Niraj Khatiwada

commented a year ago

Researcher

I have removed the POC code added before as it required modification on a case by case basis to work. While the iframe code works to verify, here is a POC video.

Niraj Khatiwada

commented a year ago

Researcher

*POC video: https://youtu.be/1Vic7fY78jc

Niraj Khatiwada modified the report

a year ago

Niraj Khatiwada modified the report

a year ago

Andrei Mihu validated this vulnerability a year ago

Niraj Khatiwada has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Andrei Mihu marked this as fixed in 3.13.0 with commit 50642a a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation