Cross-Site Request Forgery (CSRF) in babybuddy/babybuddy


Reported on

Jun 18th 2021

✍️ Description

The user/reset-api-key/endpoint does not have a CSRF protection. This could be exploited by an attacker to change the API key without the admin not actually requesting for a change.

🕵️‍♂️ Proof of Concept

For the following attack to work, the admin (victim) must be logged into their account. The victim is then tricked by the attacker to visit a malicious page containing the following HTML.

<a href="">Click Here</a>

When the user clicks on the link, the API Key is reset without actually the victim requesting for a change.

💥 Impact

Since the API key is changed without the user requesting for it, it can affect user's experience and might cause failure of other applications utilizing this API Key.


This attack could be easily prevented by requiring a valid CSRF token to validate the click.



Christopher Charbonneau Wells validated this vulnerability 2 years ago
Oomb has been awarded the disclosure bounty
The fix bounty is now up for grabs
Christopher Charbonneau Wells marked this as fixed with commit 1689bc 2 years ago
Christopher Charbonneau Wells has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation