Markdown injection into github comment in getalby/lightning-browser-extension
May 27th 2023
Users can donate for builds by tipping
There's a github action that will thank the user in a comment.
The name is not sanitized and by using one such as the following, attackers can inject their own markdown into the comment.
The "`" breaks out of the context, the rest can be arbitrary markdown.
The highlighted code in the occurrences shows that
poweredBy.by comes from an HTTP API and is appended into a markdown string without sanitization.
Proof of Concept
Please take a look at this comment to see an injected link:
To do that yourself, you have to donate some satoshi to
email@example.com, place your payload in the name and wait until you're being thanked on a build.
I hope I didn't go too far by testing it.
This may be abused to lure victims to malicious sites or spread other phishing scams on PRs. I would rate this "Low" in a pentest.