CVE-2024-28627 - Password protection bypass with javascript tampering

1. Vulnerability Properties

Title: Password protection bypass with javascript tampering
CVE ID: CVE-2024-28627
CVSSv3 Base Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Vendor: Flipsnack
Products: Flipsnack
Advisory Release Date: 11-04-24
Advisory URL: https://labs.integrity.pt/advisories/cve-2024-28627/
Credits: Discovery by Gil Correia <gil.correia[at]devoteam.com>

2. Vulnerability Summary

This vulnerability consists in bypassing the password control over a document.

When a password is introduced, no request was made to the backend. This led to javascript analysis and I’ve came across with an interesting function called “isCorrectPassword” on the file reader.gz.js which returns the comparison between the original password hash which is sent in data.json and the password inserted by the user.

Since the evaluation is on client side and not on server side, this protection is easily bypassed by modifying the return values from this function to “true”.

A more straightforward way to modify the javascript and reload it on the browser, would be to create a rule on the Burp Proxy Match and Replace Rules to modify the javascript right before it would reach the browser. If these rules are enabled, all password protected files would accept any kind of password introduced by the attacker.

3. Vulnerable Versions

• Flipsnack reader.gz.js file until 18/03/2024

4. Solution

• Guarantee that the aplication is using the most recent reader.gz.js file.

5. Vulnerability Timeline

• 05/03/24 - Bug reported to vendor
• 05/03/24 - Bug validated by vendor
• 18/03/24 - Patch released by vendor
• 11/04/24 - Advisory released

6. References

• https://cwe.mitre.org/data/definitions/603.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28627
• https://www.flipsnack.com/