Cross-Site Request Forgery (CSRF) in hackmdio/codimd

Reported on May 23rd 2021

✍️ Description

The /exportAllNotes endpoint does not require any CSRF token validation. This could be used to force download account data and potentially spoof users.

🕵️‍♂️ Proof of Concept

  1. Login to user account.
  2. Create the following file and open the page in browser.

<body onload='"");'>
        To verify that you are a human, upload the zip file that has been downloaded from our website now.
  1. This downloads user's data from codiMD without user's permission. An attacker can then spoof the user to upload this file into an attacker controlled server.

💥 Impact

Potential private information leakage through phishing by exploiting missing CSRF token.