CoSpaces Vulnerability - Account Access Compromised Just By Clicking Play

cahse · October 2, 2024, 4:49pm

This vulnerability allows you to:

Execute any JavaScript code on the browser from just pressing the play button
Log the user out of their account from just pressing the play button
Redirect user to any site
Possibly do operations (creating spaces, deleting spaces, changing spaces) without permission

This is slightly related to a file inclusion vulnerability. It is mainly an XSS vulnerability (Cross Site Scripting attack)

cahse · October 2, 2024, 6:31pm

This is a time sensitive XSS vulnerability, please reply soon.
If you are a non staff member reading, flag this post to get staff attention.

Press Flag, then other, then put Vulnerability for the reason.

cahse · October 2, 2024, 7:46pm

Here’s some footage:

In one video the code looks very strange, I complicated it on purpose to keep the vulnerability confidential. But as you can see, the vulnerability manipulates HTML easily.

One video demonstrates being logged out too! It doesn’t need the screen either. It could do it instantly, but I did it to record it easier.

techleapnz · October 2, 2024, 10:24pm

@CoSpaces_Edu Please pass on to developers.

cahse · October 3, 2024, 12:15pm

If they respond I can give the readable code to them and they can fix it. It’s pretty easy to do, just delete some files server side in order to prevent unauthorized access.

cahse · October 4, 2024, 12:06am

@CoSpaces_Edu XSS Vulnerability (Cross Site Scripting attack) found. Please check this out.

cahse · October 4, 2024, 9:57pm

Update: CoSpaces support is working with me.
@techleapnz @CoSpaces_Edu

cahse · October 7, 2024, 12:13pm

Final Update & Solution:
CoSpaces has successfully patched the vulnerability by removing nonessential Brython runtime packages from the server.
Thanks for working with me!
@techleapnz @CoSpaces_Edu

techleapnz · October 7, 2024, 7:45pm

Awesome work, thanks @cahse. Please message @CoSpaces_Edu directly using this forum’s built-in messaging (or support@cospaces.io) if you find any further vulnerabilities, so that developers have a chance to patch the code before the vulnerability becomes public.

cahse · October 8, 2024, 10:03pm

Resource for others:

The vulnerability abuses the browser package that the developers forgot to delete. Whether it’s because they forgot or because they are not familiar with Brython is unknown.

How I found the vulnerability:

I wanted to see how the Python code was being executed, so I checked the Network Logs and found something called Brython. I looked further and found an open source Brython project that allows you to execute Python in a way that can design websites. CoSpaces remanipulated this project for their own purposes and injected a package within Brython.

I realized that the examples from their documentation work in CoSpaces… This is the moment I realized I found the vulnerability.

Brython website: Brython Documentation