We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Markdown injection into github comment in getalby/lightning-browser-extension

Valid

Reported on

May 27th 2023

Description

Users can donate for builds by tipping builds@getalby.com. There's a github action that will thank the user in a comment. The name is not sanitized and by using one such as the following, attackers can inject their own markdown into the comment.

` [foo](//getalby.com)

The "`" breaks out of the context, the rest can be arbitrary markdown.

The highlighted code in the occurrences shows that poweredBy.by comes from an HTTP API and is appended into a markdown string without sanitization.

Proof of Concept

Please take a look at this comment to see an injected link:

https://github.com/getAlby/lightning-browser-extension/pull/2451#issuecomment-1563568663

To do that yourself, you have to donate some satoshi to builds@getalby.com, place your payload in the name and wait until you're being thanked on a build.

I hope I didn't go too far by testing it.

Impact

This may be abused to lure victims to malicious sites or spread other phishing scams on PRs. I would rate this "Low" in a pentest.

Occurrences

Stripping `, \r & \n in poweredBy.* should address this.

We are processing your report and will contact the getalby/lightning-browser-extension team within 24 hours. 4 months ago
Finn Westendorf modified the report
4 months ago
Finn Westendorf modified the report
4 months ago
Finn Westendorf modified the report
4 months ago
We have contacted a member of the getalby/lightning-browser-extension team and are waiting to hear back 4 months ago
Michael Bumann gave praise 4 months ago
Thanks again for this report!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
getalby/lightning-browser-extension maintainer has acknowledged this report 4 months ago
Finn Westendorf
4 months ago

Researcher

Thanks :) AFAIK you can verify/validate a report, if you agree with it. And optionally, as you already did, thank me to give me bonus points. Then later you add a commit which fixes this issue to disclose the report.

Before that, if you want, you could send me the patch here, I'll try my best to review it in a timely fashion, and then you submit it as fix.

I don't know how the UI looks on your side, and the FAQ is a bit small. But that's how it looks from my end.

Finn Westendorf
4 months ago

Researcher

https://github.com/getAlby/lightning-browser-extension/commit/a8033237f9be74113b56705e840aaf7d4cd0c5cc

I see you removed the feature. That definitely addresses it :) So, now you could verify the report and add submit the above link as fix

Finn Westendorf
4 months ago

Researcher

I actually quite liked the feature and so seems at least one other person on the PR, so I wanna highlight that this could be done securely if you just strip dangerous characters. I know `, and newlines (\r & \n) can break out of `-codeblocks in github flavored markdown. Remove those from the name / description and it should be fine!

getalby/lightning-browser-extension maintainer validated this vulnerability 3 months ago

That other person was also from our team, so I don't think it was widely used, really. Also this currently has absolutely no priority, so I'd rather close this issue for now.

Finn Westendorf has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Michael Bumann gave praise 3 months ago
Thanks again for this report!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Michael Bumann marked this as fixed in n/a with commit a80332 3 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Michael Bumann published this vulnerability 3 months ago
artifacts-comment.yml#L43-L60 has been validated
to join this conversation