MAL-2022-795 Malicious code in @zivver/fetlife-assets (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 252563d49ca0b12c7e64af6a853395f0e071b90cb7e08479fccac1ff8ad07983 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @zivver/fetlife-assets (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 252563d49ca0b12c7e64af6a853395f0e071b90cb7e08479fccac1ff8ad07983 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Zivver: Timing difference exposes existence of accounts

This report concerns a timing-based enumeration of user accounts through the authentication endpoint. While the Zivver product offers intended ways to identify if another person is a Zivver user by their email address, this report was novel in that it allows this behavior pre-authentication...

Zivver: ADB Backup is enabled within AndroidManifest

In this report, it was highlighted that the ADB backup feature enabled in the Android application could be used by an attacker with physical access to the victim's device to 'migrate' data from app storage on the phone and later possibly extract secrets from that backup. For this attack to succee...

Zivver: Cross-site Scripting (XSS) - Reflected

This issue is out of scope per our policy. It would require very unlikely user involvement, such as getting the victim to directly copy and paste malicious code into the search bar as the search query can not be passed dynamically, e.g. as a URL parameter. vulnerabal url : = docs.zivver.com...

Zivver: Bypass MFA requirement to send messages

This report correctly discloses a trick by which messages can be sent in spite of apparent MFA requirement. However, the MFA notice was actually intended to be a dismissible alert -- due to some confusion within user story and development process, the client-side 'requirement' was implemented. We...

Zivver: Cross-Site Scripting thorough XSSJacking/PasteJacking Technique

The documentation website you found is a static website and the only way to inject the payload is by pasting it in the search box. There is no way to compose a url that you can send to someone else that would then also trigger the attack. Even with a successful attack, there is no user data on th...

Zivver: Bypassing Rate limit for forgot password by using different ip addresses

This report describes a valid issue in the rate limiter configuration for the "forgot password" endpoint, in which only the authenticating user's IP address was used as a discriminator. This was resolved by limiting requests based on multiple discriminators including the target account and...