Session tokens are not invalidated on logout in heroiclabs/nakama
Valid
Reported on
May 24th 2022
Description
The session cookie is not invalidated on logout so, it can be used after logout as well.
Proof of Concept
Login to the Nakama console.
Intercept the request. Below is a sample request:
GET /v2/console/user HTTP/1.1
Host: localhost:7351
Accept: application/json, text/plain, */*
Authorization: Bearer <token>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Referer: http://localhost:7351/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Logout from the application.
Replay the request. Response is received as an authorized user.
Impact
Old session tokens can be used to authenticate to the application and send authenticated requests.
Occurrences
We are processing your report and will contact the
heroiclabs/nakama
team within 24 hours.
2 months ago
We have contacted a member of the
heroiclabs/nakama
team and are waiting to hear back
2 months ago
We have sent a
follow up to the
heroiclabs/nakama
team.
We will try again in 7 days.
2 months ago
nerrorsec modified the report
2 months ago
nerrorsec modified the report
2 months ago
Thanks for the report, we're looking into this and will respond in more depth as soon as possible.
The researcher's credibility has increased: +7
The fix bounty has been dropped
authentication.service.ts#L82-L86
has been validated
to join this conversation