explicitClick to confirm you are 18+

Making Minds better and a secure place

Maruthi AdithyaJul 21, 2018, 7:54:42 AM

I have always wanted to support open source projects in one way or the other. I am an avid supporter of  Open Source Projects and always try to use them in my online if at all there is one.

For instance, here are some of the open source software I use on a daily basis.

1) Firefox for Browsing

2) DuckDuckGo for Search

3) ProtonMail as a primary Mail

4) Minds as my primary Social Network

so on and so forth ...

I had created my Minds Account way back in 2016 but never used it more often then. Then, suddenly when I started developing the love and enthusiasm for Open Source, I started using Minds regularly and have been a regular active user ever since.

I am not a professional penetration tester but I like to pentest applications that I love the most.  The story of my penetration testing on Minds began when Minds had released their first blog about the crypto release. Back then I had just started learning pentesting by watching videos and reading HackerOne's public disclosures. Then, I realized the unique opportunity where I could learn and practice pentesting on Minds. Immediately, I went to their GitHub page to see if at all they have any Security Policy and to my luck, I found one.

From that minute, I went on to Minds and started exploring all the APIs and features. The first few days were a bit difficult as I was not even a rookie in this field. But with the help of some blogs, I started to find some bugs.

Here is a list of some of my notable Security Findings:

1) Missing X-Frame Options Header.

This was the first ever issue I discovered on Minds. And I did not discover this directly. I had found a self-XSS issue and while looking for a solution to exploit it, I found that the X-Frame Options Header was Missing.

When I had reported this, it was acknowledged and fixed.

This commit references the issue fixed.

I asked if there was any reward associated with this issue. And it was replied with this. 

I got this swag as mentioned in this post.

2) Upvote/DownVote CSRF

I had found a way to bypass the CSRF Token and force a victim to upvote any post on Minds.

This was quickly referenced through this commit.

3) Messenger Rekey CSRF

Because of the lack of CSRF token during Messenger Rekey, an attacker can force a victim to change his/her own messenger password.

This was fixed here

4) HTML Injection

In most of the applications, HTML Injection is considered to be an issue of low severity. However, for content-based-platforms, it is an issue of higher priority as the way content is formed changes after HTML tags are injected.

The issue was resolved in this commit.

5) Broken Access Control 

I found a way to delete chat conversations between any 2 users on Minds. This was a serious issue if it had gone into hands of an attacker. All conversation data would have been lost. The GET part of this request returned the conversations but minds had encrypted this data.

This issue was fixed quickly using commits -1,2.

Apart from these, there were a few other minor issues too which were resolved as well.

It feels really great to contribute something to the community. And I would like to thank Minds for acknowledging them.