The UI Performs the Wrong Action in robotichead/nearbeach

Valid

Reported on

Oct 16th 2021


Description

Sensitive data on the application can be exposed after the user logout

Proof of Concept

1 Login to the application ( https://demo.nearbeach.app/ )

2 Goto page like My Account , or Any other page

3 Click logout

4 Click browser back button

Impact

When a user logs out without closing the browser someone can view the information inside by clicking the back button on the browser.

Occurrences

not sure about exact file and line of occurrence

Add this code resolve this issue

addHeader("Cache-Control", "no-cache, no-store, must-revalidate");

We have contacted a member of the robotichead/nearbeach team and are waiting to hear back a year ago
robotichead validated this vulnerability a year ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
robotichead
a year ago

Maintainer


Hello,

We have tried to re-replicate this issue however can not anymore. Can you please confirm that you can not re-replicate this issue.

Thank you

Regards Robotichead

Asura-N
a year ago

Researcher


Issue is fixed

Thank you Regards Asura-n

robotichead confirmed that a fix has been merged on 157f7c a year ago
The fix bounty has been dropped
settings.py#L9 has been validated
to join this conversation