User Impersonation through sendMessage options
Posted: Sun Oct 06, 2024 4:58 am
Clients can use the avatar and alias parameter of outgoing messages to impersonate other users in group chats.
Description
The Meteor call sendMessage allows usage of custom avatar and alias, which in combination allows impersonation of other chat room members. Spoofed message senders can potentially be used in social engineering attacks.
https://hackerone.com/reports/1031525
Description
The Meteor call sendMessage allows usage of custom avatar and alias, which in combination allows impersonation of other chat room members. Spoofed message senders can potentially be used in social engineering attacks.
https://hackerone.com/reports/1031525