Privacy Violation In Chat System
Introduction/ Background
Here’s the write-up for the report I wrote 3 months ago on a Private Program on Hackerone. The bug was present in the chat system where the app is keeping the personal data of the users even after deletion.
Privacy Violation
Privacy Violation means wrongful disclosure, theft, or misuse of a user’s confidential, personal, and/or identifying information, including breach of, violation, or non-compliance with, data protection laws relating to employee data. Source: LawInsider
Initial Testing
The scope provided by the program was just the staging web app and a few staging APIs. So, I opened Burpsuite and Firefox and start interacting with the application. There are so many features in the app and the API endpoints were neat and clean.
Initially started testing API endpoints for user authentication, then authorized actions like posting, commenting, adding photos, and other authorized actions. Then, I started testing the chat system: file uploads, BOLA (Broken Object Level Authorization) on messageid, chatid, groupid, etc.
Bug Spotting Phase
There is a request through which users can delete the messages, as well as the attachments included within the message. Here’s the vulnerability:
Send a message to a user containing file attachments → Keep this request in your Proxy History/ Repeater → Open the file (the file which you’ve added) in New Tab → Delete this message → Using the API request and the messageid, check if the message still exists → Message is not present.
Okay, so the message got deleted (the text present got deleted). Do the developers add some functionality to delete the files present with the message? Reload this file which is still present in the Next Tab → It was still present there.
Important (Don’t Lose Hope)
Sometimes, the URLs for these files are pre-signed and have an expiration time, so maybe after 5 or 10 mins, the file won’t open. But, in my case API provided the endpoint for getting the pre-signed URL for the file as well. So, I can get this URL once again from the file_id and then see the file once again.
Impact
Businesses or Organizations should properly protect, manage and handle users’ PII. On a chatting system, users share so much personal information. On a crypto app, users can share their private keys photos written on papers, personal photos, etc. If some user is deleting the message, then why is the app not deleting the file attachment included in it as well?
Reporting Timeline
9th June 2022 → Reported
13th June 2022 → Triaged and Rewarded
Thank You For Reading.