I found this way to automatically make users download files if they’ve allowed embeds from codahosted.io, which I’m afraid a lot of people have.
I reported this but they said it’s not an exploit.
If a file automatically downloaded when you opened this post then I’d say this is an exploit.
If it didn’t download for anyone then it’s not a problem
Hmmm, I can see why they said it’s not an exploit… but at the same time it does feel wrong…
Well, as soon as you click “Open in coda” it downloads a file. If you’re handed the link for the coda doc and you open it, it’ll definitely start the download automatically, so I’d say it is an exploit.
You might need to open a suggestion post.
I’m glad you’re taking this serious! For me, the file even downloads here directly in the forum.
But yeah I feel like this has huge potential for a malicious actor. I reported this on hackerone because I want to be compensated for my time, I hope they will re-evaluate their decision
Will add my voice here as the person who submitted several reports on Coda to h1.
There are a few things that make this attack less serious:
- It requires a person to allow forced embeds from codahosted (I think it’s on the per-doc level, not universally across docs?)
- The file must pass the virus check (since that’s the only way how files end up on codahosted; temporary storage is different and I don’t think you can embed from there after the post-itsy updates)
- The user must actually launch it after the download
That said, I would still consider it a vulnerability and insist on considering it as such. While marked out of scope in the rules, Coda triagers on h1 often allow the reports to have a certain degree of reliance on social engineering. It’s hard to argue that a few users might get curious and actually launch the downloaded files, and that the virus scans are 100% bulletproof. Furthermore, even with a harmless blank txt file you could impair connectivity if you e.g. force users to download the max-size file (several GBs?) every time they open a page.
P.S. The file keeps downloading even after I click Block. The embed looks blocked but the file keeps downloading on every sneeze when I’m on this page.
P.P.S. Now that you disclosed it publicly, get ready to not get compensated for the report. You should push for it but the only reward will probably be your relief that you helped make things right.
It seems to be a unviversal setting actually! You’re other points are valid though.
Yeah the file keeps downloading, it’s a little funny.
Meh, I gave them a chance to do this privately, posting this here was the logical next step for me after they closed my h1 request
Pinged Coda about this in our internal slack with them, although not expecting anyone to really look until the next week (holidays etc)
Also it didn’t download for me when I initially opened the page, but I think I should’ve enabled embeds from codahosted at least once (can’t be that I never ever enabled them ) Hence the hunch that it is, to some degree, not universal. Haven’t tested it yet though.