This triggers the Mattermost client application to perform a GET request to the specified URL in order to fetch media content, which request is sent directly to the hosting server if no image proxy is enabled.īy manipulating the image source URL and analyzing the behavior, Blaze Information Security team found an unknown security breach exploitable on the iOS mobile application - the HTTP Authorization header, which contains the Bearer authentication token, is sent along with the GET request to arbitrary 3rd party hosts upon image load via a Markdown payload. The images are loaded on public/private channels or direct messages where the Markdown image declaration is posted. Īdditionally, the Mattermost client is also capable of rendering images by making use of the usual and well known Markdown syntax '!. #Mattermost markdown code#Operating with Markdown syntax opens the door to a wide collection of possibilities such as text styling, insertion of code blocks, tables, item lists and more. In order to make formatting of chat messages more convenient, Mattermost provides Markdown as part of its core functionality. (for more customers see ) Vulnerability details Organizations that use Mattermost include Daimler, Intel, Uber, CERN, Bosch, NASA's JPL, Samsung, Valve, etc. The product is used in several enterprises as a self-hosted, on-premise alternative to Slack and other messaging workspace.Īccording to Mattermost, it is "so secure that influential countries use it as a safeguard to national security". Mattermost is a flexible, open source messaging platform that enables secure team collaboration. Product: Mattermost Mobile Client for iOS v1.31.0 (Build 293)ĭisclosure mode: Coordinated disclosure Product description Title: Mattermost Mobile for iOS Authentication Token Leakage and Account Takeover
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |