Improper Access Control in Onionshare

Between September 26, 2021 and October 8, 2021, Radically Open Security conducted a penetration test of OnionShare 2.4, funded by the Open Technology Fund’s Red Team lab. This is an issue from that penetration test.

• Vulnerability ID: OTF-004
• Vulnerability type: Improper Access Control
• Threat level: Moderate

Description:

Chat participants can spoof their channel leave message, tricking others into assuming they left the chatroom.

Technical description:

This series of screenshots show Alice, Bob and Eve joined a chatroom and are the only participants in the chatroom. Eve seemingly leaves the chatroom, which leads Bob and Alice to believe they are having a private chat. The last screenshot shows that Eve only emitted the leave message and is still able to read the chat and possibly write messages.

This can be reproduced by joining the chat with two different instances, where one instance has slightly modified the client-side JavaScript code similar to OTF-003 (page 22). The joined emit needs to be removed from the connect event handler. Therefore the modified client is not listed in the userlist and has no active session. The modified non-listed user also needs to change their username to Eve, which is not shown in the chatroom. The modified client then emits the disconnect event and their connection is no longer usable.

This results in the leave message for Eve and the removal from the user-list but not in removal of the original session of the Eve who announced to join the chat.

Impact:

An adversary with access to the chat environment can spoof his leave event but still persist in the chat with access to all sent messages and the possibility to write in the chat using OTF-003 (page 22).

Recommendation:

• Implement proper session handling