The anonymous feedback app Sarahah makes the headlines once again, according to the according to security researcher Scott Helme, the web-based version of the app is plagued with security flaws.
Sarahah mobile app allows users to receive anonymous feedback messages from friends and co-workers, but according to the Helme is vulnerable to web-based attacks such as Cross-Site Request Forgery (CSRF) and cross-site scripting.
An attacker can launch a Cross-Site Request Forgery (CSRF) attacks to force an end user to execute unwanted actions on a vulnerable web application.
Helme discovered that it was “trivially easy” to bypass Cross-Site Request Forgery (CSRF) protection implemented by the developers of the app.
The Sarahah app allows users to send anonymous messages to the users, of course, ill-intentioned can abuse this feature to send insults and flaming. The app implements only rudimentary filtering to prevent abuse of other members. Helme pointed out that there isn’t rate limiting allowing attackers to anonymously send hundreds of messages.
“The app does deploy native CSRF protection but it turns out that in a lot (almost all) circumstances it’s fairly trivial to bypass. Endpoints like /Messages/FavoriteAjax and /Messages/DeleteAjax can be called as GET requests instead of POST requests and only require the id parameter in most cases. This makes it pretty trivial to craft a link to send to someone or launch a CSRF attack from any page you can get the victim to visit. ” wrote the expert.
“The application doesn’t seem to deploy rate limiting anywhere on the site and this is especially problematic when sending messages. Given the nature of the site and the ability to send totally anonymous messages, I was able to send several hundred abusive messages to Kate in just a couple of seconds. With no way to bulk delete messages Kate would have to sit there and delete each of these one by one.”
The issues discovered by Helme are unusual in a well-developed application, Sarahah is one of the most popular apps today, it is the number one app on Apple’s App Store and is number one in more than 10 countries on Google Play too.
Helme spotted many other vulnerabilities in the application, including password reset procedure account lockout issues.
“My biggest worry is that this is a brand new application and the issues were not difficult to find at all,” Helme told El Reg.. “They are basic issues I wouldn’t expect to find in a new app and as a result I’m concerned the app hasn’t undergone any security testing prior to release. If it has then I’d be raising some very serious questions with the firm that did the testing as to why such fundamental flaws were missed.”
Sarahah acknowledged the results of the Helme’s assessment and confirmed that its development team is already working to fix them.
The researcher attempted to report the flaws in early August, he was disappointed by the fact that the company did reply very fast, Helme highlights the importance of privacy and security issues for such kind of applications.
“An app of this nature should be very security and privacy-focused,” he explained. “I was disappointed at how difficult it was to contact the firm to responsibly disclose these issues that affect their users and how poor the response and handling was once I made contact.”