You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After reviewing a small portion of Anonshop.app’s code on Github I believe I've identified multiple potential vulnerabilities. Please review the following and confirm any vulnerabilities; and then, if requested, I can provide assistance in suggesting patches.
Vulnerability A:
Message forgery in customer “main chat”, whereby an adversary can produce a message appearing to be authored by any arbitrary user.
Vulnerability B:
Insecure plaintext storage of password (CWE-256) in customer database and in mainChat DB within table chats where the user is provided a quick login link.
Vulnerability C:
Potential insecure direct object reference (CWE-639) in “main chat” system. A 128bit random chatID is generated, however, no user authentication is performed to authenticate access the messages belonging to that user/chat session.
Additional Issue A:
Insecure storage of personal information (customer addresses, full names etc). GDPR Article 32 recommends (although does not require) encryption of such information.
Additional Issue B:
No content security policy (CSP) deployed to the website. In the event of an XSS attack (e.g. a vulnerability in sanitize-html), a CSP would help minimise or prevent actualisation of such an attack.
Additional Issue C:
As assumed by the marketing, privacy is of maximum concern. However, Netlify is used as the backend, allowing all communications to be viewed by said company (full names, addresses and orders), despite TLS. It is then further recommended that all orders and communications are to be E2E encrypted, preventing Netlify from viewing such information. Moreover, this help resolve Additional Issue A.
Additional Issue D:
There is no contact details or official methods to report vulnerabilities , both on the site and Github pages. It is recommended to provide a security contact email and security policy within “DecentralizeJustice”’s Github repositories.
Please confirm the findings and receipt of this report.
Regards,
Go Compile
The text was updated successfully, but these errors were encountered:
FULL DISCLOSURE AFTER 3+ MONTHS ATTEMPTED CONTACT
REPORT WRITTEN: 03/10/2023After reviewing a small portion of Anonshop.app’s code on Github I believe I've identified multiple potential vulnerabilities. Please review the following and confirm any vulnerabilities; and then, if requested, I can provide assistance in suggesting patches.
Vulnerability A:
Message forgery in customer “main chat”, whereby an adversary can produce a message appearing to be authored by any arbitrary user.
Components:
github.com/DecentralizeJustice/anonymousLocker/netlify/functions/sendMessage.js
Vulnerability B:
Insecure plaintext storage of password (CWE-256) in customer database and in mainChat DB within table chats where the user is provided a quick login link.
Components:
github.com/DecentralizeJustice/anonymousLocker/netlify/functions/loginToAccount.js
github.com/DecentralizeJustice/anonBackend/netlify/functions/proccessSettledBTCpayInvoice.js
Vulnerability C:
Potential insecure direct object reference (CWE-639) in “main chat” system. A 128bit random chatID is generated, however, no user authentication is performed to authenticate access the messages belonging to that user/chat session.
Components:
github.com/DecentralizeJustice/anonBackend/netlify/functions/proccessSettledBTCpayInvoice.js github.com/DecentralizeJustice/anonymousLocker/netlify/functions/getMessageArray.js
Other Issues:
Non vulnerability related issues.
Additional Issue A:
Insecure storage of personal information (customer addresses, full names etc). GDPR Article 32 recommends (although does not require) encryption of such information.
Additional Issue B:
No content security policy (CSP) deployed to the website. In the event of an XSS attack (e.g. a vulnerability in sanitize-html), a CSP would help minimise or prevent actualisation of such an attack.
Additional Issue C:
As assumed by the marketing, privacy is of maximum concern. However, Netlify is used as the backend, allowing all communications to be viewed by said company (full names, addresses and orders), despite TLS. It is then further recommended that all orders and communications are to be E2E encrypted, preventing Netlify from viewing such information. Moreover, this help resolve Additional Issue A.
Additional Issue D:
There is no contact details or official methods to report vulnerabilities , both on the site and Github pages. It is recommended to provide a security contact email and security policy within “DecentralizeJustice”’s Github repositories.
Please confirm the findings and receipt of this report.
Regards,
Go Compile
The text was updated successfully, but these errors were encountered: