๐ Liberapay: Login CSRF : Login Authentication Flaw on https://liberapay.com/
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
Description: There is no csrf validation while logging in which leads to csrf. An attacker can craft an HTML page containing information to have the victim sign into an attacker's account, where the victim may add sensitive payment information to the attacker's new account assuming he/she is logged into the correct account, where in reality, the victim is signed into the attacker's account where the changes are visible to the attacker Steps to reproduce: 1-Login as Victim 2-Now as Attacker Go to Login page give attacker's email and an Account confirmation link will send to the attacker's email 3-Extract the value of id, Key and Token from the confirmation link and replace it in HTML File (POC) history.pushState('', '', '/') 4-Send the script to the Victim to make them click then Victim now logged in to the attacker's account (After some time victim account gets logged out without any warning) Note: The victim may add sensitive payment information to the attacker's new account and also Attacker can now see all activities of the victim including all sensitive information that the victim supplied to the account. Proof of concept: (video) {F1228371} Remediation: 1)When clicking on a signing link while you're already logged in, show a message like "You're already logged in as xxx. Do you want to sign in as yyy instead? 2)Limit CSRF tokens per IP, by including them in the token's payloads Impact 1)The victim may add sensitive... ...