Improper Access Control in idno/known


Reported on

Apr 18th 2021

✍️ Description

A logged in user can edit 'Public' or 'Members only' status of other users

🕵️‍♂️ Proof of Concept

  1. Create a 'Public' or 'Members only' status update with a first user
  2. Login with a second user and go to the root page (e.g. http://yoursite/known) where you can see the status of the first user
  3. Press F12 and search in the inspector for "textarea", you will find something like :
<textarea name="json">{"type":"like","object":"http:\/\/yoursite\/known\/view\/8cd76fb1-86de-43e2-a4b3-ef802f94ee10"}</textarea>
  1. Get the identifier of the status, here it's "8cd76fb1-86de-43e2-a4b3-ef802f94ee10"
  2. You can then go to http://yoursite/known/status/edit/8cd76fb1-86de-43e2-a4b3-ef802f94ee10 to edit the status

💥 Impact

Any logged in user can modify the status of other users

Ben Werdmuller
2 years ago


Thank you for this! Fix is in the works.

to join this conversation