Wednesday, February 19, 2020

Data Tampering Issue in Spot.im Application (Write Up)



Howdy!


Early in November last year I found a vulnerability on a comment plugin of Spot.IM which affects their customers that uses their service. The vulnerability allows attacker to tamper data of the comment that can end up into impersonating other users. It can allow attacker to change the Text, Display Name and the Star ratings for the comment. The vulnerability was reported to Spot.IM and was rejected as for their reason it was related to phishing.

--Proof of Concept--






--Report Timeline--

Reported: Tue, Nov 26, 2019, 6:16 PM
Closed (Final Response): Fri, Dec 6, 2019, 3:21 AM

Hi Evan,
You are only modifying your own account data and it does not interfere with the data of others.
You will be unable to set a username if the username is already taken. You will be able to modify your display name, however display names are different from usernames.
Currently there are no privacy or authentication issues caused by this.
Kind Regards,
Spot.IM  

I hope you enjoy this write up! stay tune for more contents like this in the future.

Have a great day,

Evan

"Push yourself, because no one else is going to do it for you."

No comments:

Post a comment