Summary
An insecure direct object reference (IDOR) vulnerability allows any authenticated user to modify other participants’ votes in polls without authorization. The backend relies solely on the participantId parameter to identify which votes to update, without verifying ownership or poll permissions. This allows an attacker to alter poll results in their favor, directly compromising data integrity.
Details
The Rallly application fails to validate ownership before accepting vote change requests. By leveraging the previously disclosed information disclosure issue (GHSA-xw47-6mpg-5hww
Once these IDs are known, the attacker can intercept their own legitimate “change vote” request and modify the participantId field to reference another participant. The server does not check whether the authenticated user actually owns the targeted participant record, thus accepting and applying the malicious update.
Vulnerable Flow:
Attacker enumerates participant IDs via the prior information disclosure vulnerability.
Attacker intercepts a legitimate vote-change request.
Attacker replaces their own participant ID with another user’s ID (e.g., poll owner’s).
The modified request is sent to the server, which processes the update successfully.
Victim’s votes are altered without their knowledge or consent.
This results in an attacker being able to manipulate poll outcomes arbitrarily.
PoC
Test Environment Setup:
Target: Local Rallly instance at http://192.168.11.109:3000/
Victim (User A): fairalien (Poll owner)
Attacker (User B): hehe (Regular participant)
Steps to Reproduce:
- Obtain participant IDs:
Use the information disclosure vulnerability (GHSA-xw47-6mpg-5hww
- Intercept a legitimate vote update request:
Capture the request while the attacker updates their own vote selection.
- Modify the request and Forward the modified request:
Replace the attacker’s participantId with another user’s (e.g., the poll owner’s participantId) and send it to the server.
The request is processed successfully, updating the victim’s votes.
- Verify results:
The poll now reflects modified votes for the victim’s account.
Impact
This vulnerability allows unauthorized users to manipulate other participants’ votes, directly altering poll results. It compromises data integrity, as attackers can falsify voting outcomes, and may also impact trust and fairness in collaborative decision-making processes.
alaeddine03 Reporter
Summary
An insecure direct object reference (IDOR) vulnerability allows any authenticated user to modify other participants’ votes in polls without authorization. The backend relies solely on the participantId parameter to identify which votes to update, without verifying ownership or poll permissions. This allows an attacker to alter poll results in their favor, directly compromising data integrity.
Details
The Rallly application fails to validate ownership before accepting vote change requests. By leveraging the previously disclosed information disclosure issue (GHSA-xw47-6mpg-5hww
Once these IDs are known, the attacker can intercept their own legitimate “change vote” request and modify the participantId field to reference another participant. The server does not check whether the authenticated user actually owns the targeted participant record, thus accepting and applying the malicious update.
Vulnerable Flow:
Attacker enumerates participant IDs via the prior information disclosure vulnerability.
Attacker intercepts a legitimate vote-change request.
Attacker replaces their own participant ID with another user’s ID (e.g., poll owner’s).
The modified request is sent to the server, which processes the update successfully.
Victim’s votes are altered without their knowledge or consent.
This results in an attacker being able to manipulate poll outcomes arbitrarily.
PoC
Test Environment Setup:
Target: Local Rallly instance at http://192.168.11.109:3000/
Victim (User A): fairalien (Poll owner)
Attacker (User B): hehe (Regular participant)
Steps to Reproduce:
Use the information disclosure vulnerability (GHSA-xw47-6mpg-5hww
Capture the request while the attacker updates their own vote selection.
Replace the attacker’s participantId with another user’s (e.g., the poll owner’s participantId) and send it to the server.
The request is processed successfully, updating the victim’s votes.
The poll now reflects modified votes for the victim’s account.
Impact
This vulnerability allows unauthorized users to manipulate other participants’ votes, directly altering poll results. It compromises data integrity, as attackers can falsify voting outcomes, and may also impact trust and fairness in collaborative decision-making processes.