A misconfiguration of ACLs on SendBird, allows a. Unauthenticated users to create user accounts and make API calls.
This is a broken Access Control flaw that the application failed to validate the access tokens.
The following are the impact of the flaw
- Leak Users Sensitive Information
- Create a chat channel (without create a new league)
- Manage the chat channel
- Update the user’s chat profile
- Update the group channel configuration
- Chatting with any users
- An attacker could edit/delete messages of any users while being operator role of the self created channel.
- An attacker could update the details, configurations of the channel while being the member of any channels.
- As documented, a single SendBird User could only join a limit of 2000 group channels, the attacker could create 2000 group channels and add all the users in the SendBird Application to those channels. As a result, all the users could not join any SendBird channels after that, which could cause a Denial of Service.
This post was created with our nice and easy submission form. Create your post!