Session tokens are not invalidated on logout in heroiclabs/nakama

Valid

Reported on

May 24th 2022

Description

The session cookie is not invalidated on logout so, it can be used after logout as well.

Proof of Concept

Login to the Nakama console.
Intercept the request. Below is a sample request:

GET /v2/console/user HTTP/1.1
Host: localhost:7351
Accept: application/json, text/plain, */*
Authorization: Bearer <token>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Referer: http://localhost:7351/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Logout from the application.
Replay the request. Response is received as an authorized user.

Impact

Old session tokens can be used to authenticate to the application and send authenticated requests.

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
We have contacted a member of the heroiclabs/nakama team and are waiting to hear back 2 years ago
We have sent a follow up to the heroiclabs/nakama team. We will try again in 7 days. 2 years ago
Niraj Khatiwada modified the report
2 years ago
Niraj Khatiwada modified the report
2 years ago
heroiclabs/nakama maintainer has acknowledged this report 2 years ago
Andrei Mihu
2 years ago

Maintainer

Thanks for the report, we're looking into this and will respond in more depth as soon as possible.

Andrei Mihu validated this vulnerability a year ago
Niraj Khatiwada has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Andrei Mihu marked this as fixed in 3.13.0 with commit ce8d39 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation