The vulnerability stemmed from the fact that the pre-existing SSO logic is executed only when the /new forum account form is being viewed by the user. The first step of the process, which is to assign a nonce to the newly created forum account, was being executed before the /new forum account form was even shown. As a result, the code was vulnerable to an unintended Man-in-the-Middle attack where another forum user’s account could potentially be hijacked during the single sign-on process.
NodeBB Forum Software contains a centralised user database. All registered users have unique user accounts, which are stored in a central user database. To create a new forum account, the process looks like this:
NodeBB does not have an opt-in/out policy for nonces. It is by design that nonces are assigned to new forum accounts.
In order to fix this issue, the nodeBB team decided to remove the pre-existing code that added a nonce to newly created forum accounts.
What is a Nonce?
A nonce is a number used once. It is typically generated by a cryptographically secure random number generator or it is derived from some other form of entropy source. In this case, the nonce generated was being stored in the same user database as the newly created forum account’s username.
A nonce is not secret information, but it does allow for an easy way to verify that a new account has been created and can be considered unique from other accounts. It also allows for some level of protection against replay attacks if one were to try to reuse previous authentication data on another account.
What is a Man-in-the-Middle Attack?
A Man-in-the-Middle (MitM) attack is a form of computer network attack where a person or malicious entity inserts themselves in the communication stream between two parties who are not aware that they are communicating with the attacker. Once inserted, the attacker can see what is being sent and received by both parties and may be able to corrupt, delay, modify or interrupt the communication stream.
To mitigate against MitM attacks, NodeBB implements SSL encryption. When this is enabled during authentication, SSL will prevent an attacker from decrypting secure data.
What You Should Do Now?
If you are using NodeBB and your forum software is not configured to use SSL, you should immediately disable the SSO functionality. Either do this from the administration panel or via the configuration file.
The vulnerability stemmed from the fact that the pre-existing SSO logic is executed only when the /new forum account form is being viewed by the user. The first step of the process, which is to assign a nonce to the newly created forum account, was being executed before the /new forum account form was even shown. As a result, the code was vulnerable to an unintended Man-in-the-Middle attack where another forum user’s account could potentially be hijacked during the single sign-on process.
Finding The Vulnerability
The vulnerability was found when the user was attempting to create new forum accounts within NodeBB. The first step of the process, which is to assign a nonce to the newly created account, was being executed before the /new forum account form was even shown. As a result, the code was vulnerable to an unintended Man-in-the-Middle attack where another forum user’s account could potentially be hijacked during the single sign-on process.
Timeline
Published on: 09/02/2022 13:15:00 UTC
Last modified on: 09/08/2022 03:23:00 UTC