Cross-Site WebSocket Hijacking Vulnerability
A Cross-Site WebSocket Hijacking (CSWSH) vulnerability in GPT Academy version 3.83 allows attackers to hijack WebSocket connections and perform unauthorized actions such as deleting conversation history. The issue arises from insufficient WebSocket authentication and lack of origin validation. The vulnerability has not yet been patched.
Available publicly on Jan 02 2025
Remediation Steps
- Implement proper WebSocket authentication to ensure that only authorized users can establish WebSocket connections.
- Validate the origin of WebSocket requests to prevent cross-site attacks.
- Use secure WebSocket protocols (wss://) to encrypt WebSocket communications.
- Regularly review and update security policies to include WebSocket security best practices.
- Educate users about the risks of interacting with unknown or suspicious links while logged into sensitive applications.
Patch Details
- Fixed Version: N/A
- Patch Commit: N/A
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.