TelescopeJS Information Leakage User BCrypt password hash post-authentication

2015.04.26

Credit: Shubham

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Hi,
TelescopeJS leaks the users BCrypt password hash in incoming websocket
messages once the user has authenticated. Due to the fact that TelescopeJS
is an expressjs web application, it uses the model of storing session
information in the browsers localStorage.
This means that if an attacker is able to find a single cross-site
scripting flaw in MeteorJS, they would then be able to extract the users
password hash from incoming websocket messages. This hash could then be
cracked.
The bcrypt hash is sent in incoming websocket messages every time the user
object is needed by the application.
This vulnerability affects TelescopeJS installations below version 0.15.
A discussion about these issues can be found here:
https://github.com/TelescopeJS/Telescope/issues/838
The commits leading to the fix for this flaw can be found here:
https://github.com/TelescopeJS/Telescope/blob/dd6130637c00a8166cc4647153b441cb32b7ca61/lib/publications.js#L29-L31
If any more details are required, please let me know.
Thank you,
Shubham

References:

https://github.com/TelescopeJS/Telescope/blob/dd6130637c00a8166cc4647153b441cb32b7ca61/lib/publications.js#L29-L31

https://github.com/TelescopeJS/Telescope/issues/838

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

TelescopeJS Information Leakage User BCrypt password hash post-authentication

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.