in ,

The Untold SendBird Misconfigurations

A misconfiguration of ACLs on SendBird, allows a. Unauthenticated users to create user accounts and make API calls.

This is a broken Access Control flaw that the application failed to validate the access tokens.

The following are the impact of the flaw 

  • Leak Users Sensitive Information
  • Create a chat channel (without create a new league)
  • Manage the chat channel
  • Update the user’s chat profile
  • Update the group channel configuration
  • Chatting with any users
  • An attacker could edit/delete messages of any users while being operator role of the self created channel.
  • An attacker could update the details, configurations of the channel while being the member of any channels.
  • As documented, a single SendBird User could only join a limit of 2000 group channels, the attacker could create 2000 group channels and add all the users in the SendBird Application to those channels. As a result, all the users could not join any SendBird channels after that, which could cause a Denial of Service.

This post was created with our nice and easy submission form. Create your post!

What do you think?

Posted by SH

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Bitbucket Server and Data Center- Command Injection Vulnerability – CVE-2022-43781

CVE-2022-23093 Possible RCE in FreeBSD