Cross-Site Request Forgery (CSRF) in monicahq/monica
Jun 3rd 2021
/settings/exportToSql endpoint does not have CSRF Protection. This could be used to force download account data and potentially spoof users.
🕵️♂️ Proof of Concept
Login to user account. Create the following file and open the page in browser.
// PoC.html <html> <body> To verify that you are a human, upload the file that has been downloaded from our website now. <a href="https://app.monicahq.com/settings/exportToSql">Download Test File</a> </body> </html>
This downloads user's data from the application without user's permission. An attacker can then spoof the user to upload this file into an attacker controlled server.
Potential private information leakage through phishing by exploiting missing CSRF token.