[Problem/Question]
I’ve identified a potential security vulnerability regarding websocket impersonation in our chat system. By capturing and modifying the channel_id
value from a websocket message, it’s possible to impersonate another user. How can avoid it?
// If problem, please fill out the below. If question, please delete.
4.12.3
// What version of the SDK are you using?
[Reproduction Steps]
1- Launch an interceptor tool like Burp.
2- Assume three users (user1, user2, user3) , let’s start a chat from user1 to user2 with text = “Hello from user1 to user2”
3- Capture the websocket message in Burp. An example message
MESG{"channel_id":123123123,"scrap_id":"","user":{"name":"Test","image":"","require_auth_for_profile_image":false,"guest_id":"456","id":456456,"role":"","metadata":{},"is_bot":false,"is_ai_bot":false,"is_active":true},"silent":false,"check_reactions":false,"is_op_msg":false,"is_guest_msg":true,"data":"{\"isDeepLink\":false,\"sender\":{\"id\":\"456\",\"name\":\"usernametest\"}}","sts":169807123123,"channel_url":"sendbird_group_channel_123123_123123123","channel_type":"group","is_super":false,"mention_type":"users","mentioned_users":[],"message_events":{"send_push_notification":"receivers","update_unread_count":true,"update_mention_count":true,"update_last_message":true},"message_retention_hour":-1,"request_id":"123123123","translations":{},"custom_type":"","is_removed":false,"last_updated_at":1698072673333,"message":"Hello from user1 to user2","msg_id":789789,"ts":1698072644444,"req_id":"456456456"}
4- Send that websocket message to repeater
5- Confirm that user2 has received user1 message.
6- Start a chat from user2 to user3 sending e.g. “Hello from user2 to user3”
7- Capture that websocket message using Burp and note the channel_id from user2 to user3.
8- In Burp’s repeater tool, replace the original channel_id
(from step 4) with the new channel_id
from step 8. Modify the message content if desired, then resend.
9- user2
will receive a message seemingly from user3
, even though user3
did not send it.
[Frequency]
Always
[Current impact]
It’s critical.