High

chuanhuchatgpt

Unauthorized Access and Manipulation of User Chat Histories

A vulnerability in the chat application version 20240802 allows attackers to access, copy, and delete other users' chat histories due to improper session handling and lack of access control. This issue was patched in version 20240918.

Available publicly on Nov 05 2024

8.1

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Credit:

mnqazi
Threat Overview

The vulnerability arises from improper handling of session data and lack of access control mechanisms in the chat application. By sequentially executing specific POST requests, an attacker can access, copy, and delete chat histories of other users. This can lead to unauthorized data manipulation, privacy violations, and potential further exploitation.

Attack Scenario

An attacker identifies a victim's username and chat name. They then send a crafted POST request to access the victim's chat history, followed by another POST request to delete the chat history from the victim's folder and paste it into their own folder. This allows the attacker to view and manipulate the victim's chat history.

Who is affected

Users of the chat application version 20240802 are affected by this vulnerability. Any user can potentially have their chat history accessed, copied, and deleted by an attacker.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.