lichess.org
Donate

A Serious Security Hole On Lichess

Hello, today I found a security hole on Lichess.

After the last update, I think many people noticed a bug - when sending links to private messages or chats, they do not open, and when you hover over them, the system reacts as if they were links to users and tries to show their profile.

I noticed that when doing this, the user's computer sends a request for a link+"/mini" (If you send someone a private message with a link lichess.org/tournament/xxx, when hovered over, the computer of the person reading this will try to open lichess.org/tournament/xxx/mini).

Naturally, this is already a security hole.
I went even further.
If you add "#" at the end of the link, then the ending "/mini" will not change anothing so THE USER'S COMPUTER WILL LOAD THE LINK THAT YOU ENTER WITHOUT THE USER'S KNOWLEDGE!

The worst thing is that this works not only with links to lichess.
That is, you can send someone a link to your malicious site, he will point to it and his cookies can be sent to your site (and taking possession of the user’s cookies gives almost complete access to his account).

Fortunately, the site saves his CSB which prohibits opening links from third-party sites (except lichess1.org).

But still, this is a very serious hole and I hope I get a badge for it :)

===
P. S. I also noticed another bug related to this.
If you send a very long link to someone in private messages, then a “glitch” will occur (both for you and for the recipient) - the buttons on the top (report, call, block, delete correspondence) will disappear, as well as the messages on the right..

The same is true with chat - if you post a long link in a chat, its size will change..

So far everything seems to be fine, I haven’t found any other bugs.

SCREENSHOTS:
https://i.imgur.com/loEAoo0.png
https://i.imgur.com/UubztMP.png
Thanks for the report, there's a bug indeed where all links are treated like user links, I'll fix it.

There is however no security hole. Cookies are never sent to third parties.

Furthermore, XHR calls are never made to third parties, due to the CSP headers.

Therefore there is no way to exploit this bug that I can think of, and no security vulnerability. Let me know if I'm wrong with an example.
I think the correct place to report security vulnerabilities is github.com/lichess-org/lila/security

But I fail to understand how any of this would be a security risk at all.

I think when hovering a link you get a preview (usually of a user - doesn't make sense for tournaments, obviously, so this may be a bug). How would that ever harm you?

Also, why would any of your private lichess cookies be sent to other sites? Makes no sense to me.
<Comment deleted by user>
If the malicious site requests credentials in CORS-preflight response, the browser will include cookies when performing the actual requests after the preflight. However, what @thibault said is true - lichess does set CSP to prevent cross-site requests, which eliminates the risk. Lichess sets CSP via a HTTP meta tag instead of using a response header, which is perfectly valid.

This topic has been archived and can no longer be replied to.