You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On the be1-go backend, there is no verification that only organizer can create/open/close a rollcall.
Anyone can send theses messages (using a modified frontend) and the go backend will accept them.
Expected behavior
There should have a verification of the public key and deny any rollcall create/open/close if not from an organizer.
How to reproduce
Create a Lao with client1 (organizer)
Join the Lao with client2 (with a modified frontend that allow sending the messages)
Description (Actual behavior)
On the be1-go backend, there is no verification that only organizer can create/open/close a rollcall.
Anyone can send theses messages (using a modified frontend) and the go backend will accept them.
Expected behavior
There should have a verification of the public key and deny any rollcall create/open/close if not from an organizer.
How to reproduce
Version & Environment
This bug was reproduced on:
Front-ends:
Back-ends:
Environment (as applicable):
Workaround
The scala backend doesn't seem to be vulnerable to the same problem.
Impact
Anyone can maliciously create a new rollcall and add many PoP token.
Possible root cause
No verification that the sender of a rollcall create/open/close is the organizer.
The text was updated successfully, but these errors were encountered: