Hello, today I found a security hole on Lichess.
After the last update, I think many people noticed a bug - when sending links to private messages or chats, they do not open, and when you hover over them, the system reacts as if they were links to users and tries to show their profile.
I noticed that when doing this, the user's computer sends a request for a link+"/mini" (If you send someone a private message with a link lichess.org/tournament/xxx, when hovered over, the computer of the person reading this will try to open lichess.org/tournament/xxx/mini).
Naturally, this is already a security hole.
I went even further.
If you add "#" at the end of the link, then the ending "/mini" will not change anothing so THE USER'S COMPUTER WILL LOAD THE LINK THAT YOU ENTER WITHOUT THE USER'S KNOWLEDGE!
The worst thing is that this works not only with links to lichess.
That is, you can send someone a link to your malicious site, he will point to it and his cookies can be sent to your site (and taking possession of the user’s cookies gives almost complete access to his account).
Fortunately, the site saves his CSB which prohibits opening links from third-party sites (except lichess1.org).
But still, this is a very serious hole and I hope I get a badge for it :)
===
P. S. I also noticed another bug related to this.
If you send a very long link to someone in private messages, then a “glitch” will occur (both for you and for the recipient) - the buttons on the top (report, call, block, delete correspondence) will disappear, as well as the messages on the right..
The same is true with chat - if you post a long link in a chat, its size will change..
So far everything seems to be fine, I haven’t found any other bugs.
SCREENSHOTS:
After the last update, I think many people noticed a bug - when sending links to private messages or chats, they do not open, and when you hover over them, the system reacts as if they were links to users and tries to show their profile.
I noticed that when doing this, the user's computer sends a request for a link+"/mini" (If you send someone a private message with a link lichess.org/tournament/xxx, when hovered over, the computer of the person reading this will try to open lichess.org/tournament/xxx/mini).
Naturally, this is already a security hole.
I went even further.
If you add "#" at the end of the link, then the ending "/mini" will not change anothing so THE USER'S COMPUTER WILL LOAD THE LINK THAT YOU ENTER WITHOUT THE USER'S KNOWLEDGE!
The worst thing is that this works not only with links to lichess.
That is, you can send someone a link to your malicious site, he will point to it and his cookies can be sent to your site (and taking possession of the user’s cookies gives almost complete access to his account).
Fortunately, the site saves his CSB which prohibits opening links from third-party sites (except lichess1.org).
But still, this is a very serious hole and I hope I get a badge for it :)
===
P. S. I also noticed another bug related to this.
If you send a very long link to someone in private messages, then a “glitch” will occur (both for you and for the recipient) - the buttons on the top (report, call, block, delete correspondence) will disappear, as well as the messages on the right..
The same is true with chat - if you post a long link in a chat, its size will change..
So far everything seems to be fine, I haven’t found any other bugs.
SCREENSHOTS:
