So as you do, I was just looking around, manually fuzzing some Web Sockets requests, seeing if I could get any sort of XSS, Remote IRC Command Injection or SQLi mainly – ended up that I didn’t find much there that worse worth noting. So I started seeing if their logic was all alright, so one of their requests looked similar to:
{“_reqid”:1234, “cid”:5678, “to”: “#treehouse”, “msg”:”test”, “method”:”say”}
I thought, alright, what if I can send a message to multiple channels, so I changed the “to” parameter to be an array: “to”:[“#treehouse”, “#darkscience”]
– Then all of a sudden my account gets disabled. So I booted up irssi and jumped on to the support channel to speak to the security engineers there. RJ (the one I spoke to) confirmed that the request put my account into an infinite loop attempting to send to a string-type channel but an array was given. This started filling up the internal queues and started increasing the RAM usage. He then fixed the issue with some difficulty. So as a report I submitted it to HackerOne just so they had a track of it.
With some further discussion with RJ and James (Another IRCCloud security engineer), it would have been possible to create multiple “test accounts” which would have been propagated over the other servers, performed the attack across the test accounts, which in turn may have brought down the servers due to lack of Disk Space or resources available.
IRCCloud were brilliant in dealing with the report, and the timely responses that were received by James, even when it was out of working hours, was by far the best that I had ever seen. *tilts hat to James*
Here is the full report issued to IRCCloud on HackerOne.
Click to Open Code Editor