0

I recently found out that clients can "spy" on other clients and all of their communications by joining the room with the victim's session id.

Is this secure? My usage of socket.IO involves sending temporary auth keys in the body to validate requests, and with this exploit, attackers can steal that info.
I am wondering if there is some sort of workaround for this problem.

py660
  • 138
  • 11
  • 2
    Of cause you have to protect every kind of session ID from being retrieved by a third party. – Klaus D. Jan 25 '23 at 02:00
  • 1
    This is the case if a user gets access to any type of session token/auth key, though. Are you exposing the session ID to the other users? How are the other users getting access to this user's socket ID? – Brenton Haerr Jan 25 '23 at 03:24
  • The sid is included in the URL, and the user can run javascript to retrieve the session id. – py660 Jan 25 '23 at 03:31
  • Please provide a link to a description of the exploit you are concerned about. Without the details it is hard to speculate. One thing I wanted to note is that clients cannot join rooms, the room joining capability is implemented in the server, so for an attacker to join a room it has to fool the server into thinking it is a legit user. – Miguel Grinberg Jan 25 '23 at 17:20

0 Answers0