[Security] Unrestricted file Upload
Shashank-In opened this issue ยท 5 comments
Description: When we install the browser. We are sent to localhost:8888. There under the profile section, we have an option to upload images. I noticed that there are no file upload restrictions hence an attacker can upload any kind of file like:-
- Upload and host a phishing page in HTML
- Execute malicious javascript
- Upload trojan/backdoors to infect the victim's system
The request to the upload file looks like this
POST /store/1GMACmsiJigwVRrHpHGD6GsD9EzWSPj9B2//avatar-0 HTTP/1.1
Host: hub.blockstack.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/html
Authorization: bearer
Origin: http://localhost:8888
Content-Length: 143
Connection: close
<html>
<body>
Easily send and receive tokens on the Blockstack Network.
<a href="https://evil.com">Fake installation file</a>
</body>
</html>
Proof of concept:
This small proof can show we can host a fake page to mislead the victim users to download a malicious file to infect their system or host a phishing page (which can be any page not limited to gaia)
Visit the link to see the proof
https://gaia.blockstack.org/hub/1GMACmsiJigwVRrHpHGD6GsD9EzWSPj9B2//avatar-0
Or execute client-side javascript
Additional Notes
I know gaia and the browser is no more in use. But the impact is global here at the organization level. This bug affects all the users who are using blockstack. The fake pages are severed from the official block stack domain. The domain blockstack.org is trusted and an attacker can exploit that trust to host his own pages to lure the victims to download a backdoor or tempt him to giveaways his/her private keys/credentials by hosting a fake page/ false campaign etc.
Again I want to emphasize that the impact here is global as it impacts all users. The overall concept of security is to protected users from bad/malicious actors.
cc: @timstackblock @diwakergupta
As per the conversation on discord I have filed a report.
Thanks @Shashank-In we are investigating
Hey @Shashank-In , thank you for spending your time looking into this. I am inclined to say this is not a security vulnerability in the Blockstack Browser, without a mechanism for executing this payload on a different user in the Blockstack Browser. Right now the Blockstack Browser only shows your avatar file as an <img src={url} />, which will not execute stored XSS. If you found something like that, please post on HackerOne. I do recognize that this is a bug in the Blockstack Browser around improper MIME types when uploading an avatar, but we have mostly deprecated non-security updates to this product, as seen in the README for this repo.
We can continue this discussion on HackerOne.
@hstove Hi, I have already mentioned this is not related to the browser. It affects the subdomain of the organisation which is trusted and hence can be exploited for phishing attempts. I don't think I can explain more. It has a global
impact I mentioned it many times. There is a PoC where I showed anyone can host a an HTML page on the domain which is owned by blockstack.
Hi @hstove
I think my title was misleading because there were so many confusions. I have filed a report on h1 as well. Please let me know.