The UI Performs the Wrong Action in robotichead/nearbeach

Valid

Reported on

Oct 16th 2021


Description

Sensitive data on the application can be exposed after the user logout

Proof of Concept

1 Login to the application ( https://demo.nearbeach.app/ )

2 Goto page like My Account , or Any other page

3 Click logout

4 Click browser back button

Impact

When a user logs out without closing the browser someone can view the information inside by clicking the back button on the browser.

Occurences

not sure about exact file and line of occurrence

Add this code resolve this issue

addHeader("Cache-Control", "no-cache, no-store, must-revalidate");

We have contacted a member of the robotichead/nearbeach team and are waiting to hear back a month ago
robotichead validated this vulnerability a month ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
robotichead
a month ago

Maintainer


Hello,

We have tried to re-replicate this issue however can not anymore. Can you please confirm that you can not re-replicate this issue.

Thank you

Regards Robotichead

Asura-N
a month ago

Researcher


Issue is fixed

Thank you Regards Asura-n

robotichead confirmed that a fix has been merged on 157f7c a month ago
The fix bounty has been dropped
settings.py#L9 has been validated