Cross-Site Request Forgery (CSRF) in firefly-iii/firefly-iii

Reported on Jun 2nd 2021

✍️ Description

The /export/export endpoint does not have CSRF Protection. This could be used to force download account data and potentially spoof users.

🕵️‍♂️ Proof of Concept

  • Login to user account.
  • Create the following file and open the page in browser.
// PoC.html
        To verify that you are a human, upload the file that has been downloaded from our website now.
        <a href="">Download Test File</a>
  • This downloads user's data from the application without user's permission. An attacker can then spoof the user to upload this file into an attacker controlled server.

💥 Impact

Potential private information leakage through phishing by exploiting missing CSRF token.