Backend / Frontend Whitebox - Truffles

By leveraging the HAL-01 vulnerability, it was possible to chain an attack and obtain the organization ID (orgId) information. Subsequently, a GET request could be sent to any organization that did not belong to the user. This chain of exploitation allowed for the retrieval of sensitive KYC information, such as personal IDs, from the targeted organization.

The severity level of this issue has been downgraded to high because the successful execution of the attack requires obtaining the orgId hash. However, this hash can be obtained by exploiting the HAL-01 vulnerability, thereby enabling the attack to be carried out.

The attack was initiated by sending a request via TFID using the HAL-01 vulnerability. As a result, the response revealed the orgId hash, which was subsequently acquired. Leveraging this obtained hash, a request was made to the endpoint /api/v1/org/63fca6a8555d51bbe1290ec4, leading to the retrieval of sensitive information pertaining to the individuals associated with the targeted organization. Consequently, the attack successfully gathered sensitive information.

Following the retrieval of the orgId hash through the exploitation of the HAL-01 vulnerability, the attacker could proceed to execute a request targeting an organization that does not belong to them. As a result, sensitive information such as IdentificationNumber was exposed and made accessible to the attacker.

• CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SOLVED: Truffles successfully resolved the issue by implementing fix HAL-01. However, subsequent testing revealed that using the orgId hash of a different TFID, which corresponds to the user in question, resulted in a forbidden resource response.

It was possible for an attacker to initiate a request to the endpoint /api/v1/transfer/quote to create a new quote and subsequently use /api/v1/transfer/create to perform outgoing transfers without the requirement of OTP verification. This vulnerability allowed a user to manually execute these actions without having to send an OTP request beforehand, as the transfer quote did not verify if an OTP was sent.

The impact of this issue was particularly concerning in cases where unauthorized access to a user account has been obtained. In such instances, the additional security layer of two-factor authentication (2FA) was rendered unnecessary, enabling the unauthorized transfer of funds to a beneficiary account.

• CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

SOLVED: Truffles effectively resolved the issue by adding OTP header on transfer /create request.

Truffles mail server contained multiple misconfigurations, allowing an attacker to impersonate emails as Truffles and performing scams/fraud/phishing users, which may result in financial and customer loss.

Furthermore, an attacker could exploit the aforementioned vulnerability in conjunction with (HAL-08) to execute a specifically targeted attack against corporate users.

Finally, the victim sends via telegram the token received in the authentication process to the attackers. The account was fully controlled by them.

• CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

SOLVED: Truffles effectively resolved the issue. Consequently, due to the non-delivery of the email, the targeted user did not receive the message sent by the attacker.

An attacker could upload malicious PDF files within the KYC process. This presents a significant impact as it introduces the risk of unauthorized code execution or the dissemination of malicious content. The presence of these malicious files within the KYC process poses a threat to the security and integrity of the system and potentially compromises sensitive information.

Know Your Customer (KYC) is a critical regulatory requirement for financial institutions and other entities dealing with customers' funds, aiming to prevent money laundering, terrorist financing, and other illegal activities. Since the KYC checks the uploaded documents, this increases the risk of the user could be infected by malicious malware executed on corporate laptop.

1. Navigate to https://staging.truffles.one.
2. Create an account.
3. Select a malicious .pdf file and upload as a KYC document.

• CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

SOLVED: Truffles effectively resolved the issue using AWS WAF for scanning all files before uploading to the serve. Also, they are planning to integrate Cloudflare WAF on top of AWS for better malware scanning.

Within the support role privileges, there existed a potential vulnerability that enables the acquisition of the refreshToken for any recently registered user. This allowed the support role user to impersonate the target account by utilizing the obtained refreshToken. As a consequence, the support role user gained unauthorized access to the victim's account, potentially resulting in unauthorized actions and compromising the confidentiality, and integrity of user data.

The following steps outline a scenario involving potential security vulnerabilities:

1. Access the URL https://staging.truffles.one.
2. Log in as a support role user.
3. Open the browser console and examine the contact information associated with a newly registered user.
4. During the console inspection, observe that a refreshToken is present within the Object information array.
5. The support role user can exploit this refreshToken as a Token Bearer and impersonate the victim user, enabling them to perform API actions on behalf of the victim.
6. These actions can potentially involve fraudulent activities, such as sending a POST request to accept an invoice and initiate payment, resulting in severe consequences and a heightened impact.

• CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

SOLVED: Truffles solved this issue, removing the user object that was displayed in console when contact was clicked.

The file types allowed to be uploaded should be restricted to only those that are necessary for business functionality. A malicious actor was able to upload non-image files.

1. Navigate to https://staging.truffles.one.
2. Create an account.
3. Select an executable .dmg file and upload as a KYC document.

• CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

SOLVED: Truffles solved this issue by implementing the proper validation on file.service.ts file.

Clickjacking is a malicious technique that permits to load the vulnerable application inside a frame under attacker's control. This could allow injecting malicious actions inside the legitimates.

The lack of X-Frame-Options or Content-Security-Policy ‘frame-ancestors’ headers on server's responses made the application vulnerable to potential Clickjacking attacks.

The attacker successfully initiated the worldcheck process with just two clicks, exploiting the victim's actions. It was important to note that the worldcheck process is a manual KYC procedure implemented on the Truffles support side specifically for organization members. This process exists because Wallex, the banking partner, only performs KYC for the organization's admin and KYB (Know Your Business) checks for the organization itself. However, the attacker was able to bypass these limitations and initiate the worldcheck process.

Requirements:

• Attacker: operator user.
• Victim: support user.
• Third-party affected: admin user.

A series of actions took place (2 clicks):

• The perpetrator initiated the creation of a malicious website and disseminates the link to targeted victims.
• The attacker as belongs to the organization, known the ID.
• The first position will always be the admin of the organization. This click edited the info of account.
• Finally, using only two clicks, the victim could perform the POST API request to initialize world check of admin user account.

Malicious website injecting the iframe:

<script>window.addEventListener("message", function(e){ var data, childFrame = document.getElementById("childFrame"); try { data = JSON.parse(e.data); } catch(e){ data = {}; } if(!data.clickbandit){ return false; } childFrame.style.width = data.docWidth+"px";childFrame.style.height = data.docHeight+"px";childFrame.style.left = data.left+"px";childFrame.style.top = data.top+"px";}, false);</script><iframe src="https://stagadmin.truffles.one/support/63fca6a8555d51bbe1290ec4" scrolling="no" style="width:1256px;height:775px;position:absolute;left:-816px;top:-54px;border:0;" frameborder="0" sandbox="allow-same-origin allow-scripts allow-forms" id="childFrame" onload="parent.postMessage(JSON.stringify({clickbandit:1}),'*')"></iframe>

The consequences of this attack were significant, resulting in the victim's world check without their consent. The attack's complexity was heightened by the necessity of creating a credible pretext and leveraging social engineering techniques to elicit the victim's clicks, ultimately diminishing the probability of successful exploitation and warranting a moderate level of severity for the vulnerability.

• CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

SOLVED: Truffles solved the issue by setting X-Frame-Options headers in all applications.

It has been discovered that Truffles web application exhibited a flaw in its session management. Specifically, the application failed to invalidate previously created sessions even after a user had successfully logged out. As a result, the user's session persisted, posing a significant security risk, especially if the user's JWT (JSON Web Token) was compromised.

This vulnerability allows an attacker who has gained unauthorized access to a user's JWT to maintain full control over the victim's account. Despite the user's attempt to log out, the active session remains intact, granting the attacker ongoing access and potentially allowing them to perform malicious actions on behalf of the victim.

To replicate this issue, it conducted a test using two different browsers and the same user account. The steps were as follows:

1. Logged in to the user account using the first browser.
2. Simultaneously logged in to the same user account using the second browser.
3. On the first browser, initiated the log-out process. Upon inspection of the browser's development tools, it is verified that the localStore was successfully cleared, indicating a proper session termination.

4. However, on the second browser, the session remained active despite the log-out attempt. This indicates a failure in properly invalidating the session, allowing it to persist even after a user has logged out from one browser.

5. CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

SOLVED: Truffles effectively solved the issue. If a user logout from browser 1, the user account is logged out in browser 2 as well.

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. Placing secrets into the URL increases the risk that they will be captured by an attacker.

• CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

PENDING: Truffles will implement the solution in a future release.

Improper handling of errors can introduce a variety of security problems for a website. Web applications frequently generate error conditions during normal operation. Out of memory, null pointer exceptions, system call failure, database unavailable, network timeout, and hundreds of other common conditions can cause errors to be generated.

During the audit, it has been discovered multiple instances of client-side exception errors within the system. These errors occur on the client side, typically within the user's web browser or application, and can negatively impact the user experience and the overall functionality of the system.

Tested Endpoint: https://stagingapp.truffles.one

The exception can be triggered by following these steps:

1. The user logs in to the web application using their credentials.
2. After successful login, the user navigates to a random endpoint within the application, such as /halborn.
3. If the user attempts to return to the /dashboard page or any other desired location, a client-side exception is triggered, resulting in the user being redirected back to the login page.

This exception disrupts the expected user experience, as the user is forced to log in again to regain access to the application. This behavior can be particularly impactful for users with the support role, as they may encounter difficulties accessing the "/support" endpoint and performing their assigned tasks.

• CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

SOLVED: Truffles solved the issue. No client-side exception was detected while retesting.

The scoped repository uses multiple third-party dependencies. Using vulnerable third-party libraries can result in security vulnerabilities in the project that can be exploited by attackers. This can result in data breaches, theft of sensitive information, and other security issues. However, some of them were affected by public-known vulnerabilities that may pose a risk to the global application security level.

• CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L

RISK ACCEPTED: Truffles risk accepted the issue.

OWASP. Vulnerable and Outdated Components OWASP. Vulnerable Dependency Management Cheat Sheet

The authentication page of the web application features a registration form; however, it lacks a captcha validation mechanism. Consequently, this absence of captcha verification allowed users to submit an excessive number of requests, leading to an overload of new user creations on the support endpoint located at stagadmin.truffles.one.

The repercussions of this issue could disrupt the workflow of support personnel, particularly in the areas of KYC approval and the verification of uploaded documents for legitimate users.

During the execution of the script, it was imperative to effectively manage a rotating proxy system that incorporates multiple VPN connections.

import requests

headers = {
    'Host': 'stagingapi.truffles.one',
    'User-Agent': 'Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US))',
    'Accept': 'application/json',
    'Accept-Language': 'en-US,en;q=0.5',
    # 'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/json',
    # 'Content-Length': '328',
    'Origin': 'https://stagingapp.truffles.one',
    'Referer': 'https://stagingapp.truffles.one/',
    'Sec-Fetch-Dest': 'empty',
    'Sec-Fetch-Mode': 'cors',
    'Sec-Fetch-Site': 'same-site',
    # Requests doesn't support trailers
    # 'Te': 'trailers',
    'Connection': 'close',
}

for i in range(1,100):
    json_data = {
        'accountType': 'company',
        'phoneCode': '+1',
        'residentialCountry': {
            'country': 'Spain',
            'countryCode': '34',
            'isoCode2': 'ES',
            'isoCode3': 'ESP',
        },
        'email': 'qum123-%s@yopmail.com' % str(i),
        'firstName': '%s' % str(i),
        'lastName': 'AAA',
        'mobileNumber': 638158711,
        'orgName': 'PWN%s' % str(i),
        'orgType': 'tech',
        'title': 'Mr',
        'language': 'en',
        'terms': False,
    }

    print(i)


    response = requests.post('https://stagingapi.truffles.one/api/v1/auth/register', headers=headers, json=json_data, verify=True)

    print(response.text)

# Following prints your normal public IP
print(requests.get("http://httpbin.org/ip").text)

If a huge number of requests per second were sent, the webflow application bans the traffic, serving a response with HTTP code 429 and error code Too Many Requests. However, this mechanism protects by banning the IP. With sophisticated tools that handle a rotated proxy with several VPN connections, this protection can be bypassed, as shown in the next screenshot.

Following the attack, the support endpoint experienced a significant influx of fraudulent user registrations, resulting in disruptions to the support team's workflow for KYC document approval and the creation of accounts with the Wallex third-party service provider.

• CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

SOLVED: Truffles effectively resolved the issue, implementing a Captcha.

It has come to attention that the _id parameter associated with a user and the corresponding orgId parameter share identical values, differing only in the last byte. Although no known exploits have been identified thus far, this issue carries a potential vulnerability that may be leveraged by attackers in future releases featuring new API endpoints. If an attacker gains access to the orgID, they could retrieve the user's ID and exploit it for malicious purposes, such as accessing sensitive information.

• CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

SOLVED: Truffles effectively resolved the issue, implementing a proper differenced hashes.

It has been observed a logical overlook in the sign-up. There was wrong condition while checking for existing users through email using AND statement.

/src/auth/auth.service.ts

async register(registerEntity: RegisterEntity): Promise<string | void> {
    try {
      await this.loadSecret();
      const { email, orgName } = registerEntity;
      const user = await this.userService.findByEmailForRegister(email);
      const org = await this.orgService.findByNameForRegister(orgName);
      if (user && org) {
        throw new BadRequestException('User email or Org already exist');
      }
      const newOrgObject = {
        orgName: orgName,
        orgType: registerEntity.orgType,
        accountType: registerEntity.accountType,
        TFID:
          orgName.substring(0, 3) +
          Math.floor(Math.random() * 1000000).toString(),
      };

      const newOrg = await this.orgService.create(newOrgObject);
      const registerUserData: CreateAuthDto = {
        role: 'onboarder',
        orgID: newOrg.id,
        email: email,
        orgName: orgName,
        title: registerEntity.title,
        firstName: registerEntity.firstName,
        lastName: registerEntity.lastName,
        mobileNumber: registerEntity.mobileNumber,
        language: registerEntity.language,
        residentialCountry: registerEntity.residentialCountry.country,
        residentialCountryIso2: registerEntity.residentialCountry.isoCode2,
        residentialCountryIso3: registerEntity.residentialCountry.isoCode3,
        phoneCode: registerEntity.residentialCountry.countryCode,
        accountType: registerEntity.accountType,
      };
      const createdUser = await this.userService.create(registerUserData);
      return this.sendMagicLink(createdUser, createdUser.role);
    } catch (err) {
      throw new BadRequestException(`Register User : ${err}`);
    }
  }

• CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

SOLVED: Truffles effectively resolved the issue by implementing a proper user validation.

Secure or sensitive data should not be stored persistently in browser data stores as this may permit information leakage on shared systems and could result in account takeover by exfiltration of the jwtToken. Sensitive data is stored in localStorage located in state key. This data includes jwtToken.

1. Receive the email with the token parameter to new sign up.
2. Open the Developer Tools (usually the F12 button).
3. Go to the Local Storage tab (e.g. Storage -> Local Storage).
4. An alternative option is to go to the Console section and enter the following code:

for (let i = 0; i < localStorage.length; i++) 
{ const key = localStorage.key(i);
const value = localStorage.getItem(key); 
console.log(`${key}: ${value}`);
}

• CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

SOLVED: Truffles solved the issue by removing the accessToken and refreshToken from localstorage.

The inability for support role users to change the prefix of a mobile number has been identified as an ongoing issue. This limitation was observed without the phoneCode parameter within the update API request, which prevents support role users from modifying the mobile number prefix.

The impact of this issue was notable, as support role users were unable to change the prefix of any mobile numbers associated with user accounts. This poses a challenge, particularly when performing transfers that require two-factor authentication (2FA) through the sending of SMS messages containing OTP codes. The locked accounts hinder the smooth processing of transfers, causing inconvenience for both the users and the support team.

• CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

SOLVED: Truffles solved the issue enabling the field for editing the prefix number by support role user.

The current way the front end handles the user session was by directly requesting the backend the user profile without any authentication mechanism. So, it was possible to modify the request or the response to make the front end trust the input data and load the view of a different user, or even a user with more privileges.

It was important to mention that it does not mean that when doing this, it was possible to impersonate the user session. However, it was possible to leak information about administrative tasks because of reflected on the front-end UI.

• CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

SOLVED: Truffles solved the issue.

The application uses a potentially insecure function to nonce generation and other mechanism, which might lead to potential security risks. The application utilizes the Math.random() function to generate random numbers. The Math.random() function is not cryptographically secure and can be exploited by attackers to predict TFID for organization, compromising the other random sequence generation.

It was important to note that under certain circumstances, the TFID had the potential to generate identical identifiers for different organization names, leading to a collision in the assigned IDs.

backend/src/auth/auth.service.ts

const newOrgObject = {
        orgName: orgName,
        orgType: registerEntity.orgType,
        accountType: registerEntity.accountType,
        TFID:
          orgName.substring(0, 3) +
          Math.floor(Math.random() * 1000000).toString(),
      };

• CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

SOLVED: Truffles solved the issue.

generateTFID = (orgName) => {
    const randomNum = randomBytes(3).readUIntBE(0, 3);
    const TFID = orgName.substring(0, 3) + randomNum;

    return TFID;
  };

During the assessment, it has been observed that the previously authenticated JWT Token did not get invalidated on request new JWT token. If the JWT Token was exposed to any user by some misconfiguration/vulnerability, an attacker could maintain access to the user's account for the longest amount of time, as the JWT will not get invalidated on new token created, this could lead to complete account takeover of a user account.

• CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

SOLVED: Truffles solved the issue.

\newpage

The web page contains a form on the authentication page that allowed a user to sign in. Nevertheless, it did not have a captcha on the form that validates the request in order to prevent the excessive submissions sent by a user, resulting in an overloaded inbox.

• CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

SOLVED: Truffles solved this issue by implementing a time counter previous next resend email.

The application contains some external dependencies, some of which are not pinned to an exact version but set to a compatible version (^x.x.x). This can potentially enable dependency attacks, as observed with the event-stream package with the Copay Bitcoin Wallet.

Backend repository:

"dependencies": {
    "@aws-sdk/client-s3": "^3.267.0",
    "@aws-sdk/s3-request-presigner": "^3.278.0",
    "@fastify/csrf-protection": "^6.1.0",
    "@fastify/formbody": "^7.4.0",
    "@fastify/helmet": "^10.1.0",
    "@fastify/multipart": "^7.4.0",
    "@fastify/static": "^6.6.1",
    "@nestjs-modules/mailer": "^1.8.1",
    "@nestjs/axios": "^1.0.1",
    "@nestjs/common": "^9.0.0",
    "@nestjs/config": "^2.3.1",
    "@nestjs/core": "^9.0.0",
    "@nestjs/devtools-integration": "^0.1.4",
    "@nestjs/jwt": "^9.0.0",
    "@nestjs/mapped-types": "*",
    "@nestjs/microservices": "^9.2.1",
    "@nestjs/mongoose": "^9.2.1",
    "@nestjs/passport": "^9.0.0",
    "@nestjs/platform-express": "^9.3.9",
    "@nestjs/platform-fastify": "^9.2.1",
    "@nestjs/platform-socket.io": "^9.2.1",
    "@nestjs/schedule": "^2.2.1",
    "@nestjs/swagger": "^6.3.0",
    "@nestjs/throttler": "^3.1.0",
    "@nestjs/typeorm": "^9.0.1",
    "@nestjs/websockets": "^9.2.1",
    "@pinata/sdk": "^2.1.0",
    "@truffle/hdwallet-provider": "^2.1.9",
    "@types/cryptr": "^4.0.1",
    "@types/multer": "^1.4.7",
    "@types/winston": "^2.4.4",
    "aws-sdk": "^2.1287.0",
    "axios": "^1.2.2",
    "bcryptjs": "^2.4.3",
    "class-transformer": "^0.5.1",
    "class-validator": "^0.14.0",
    "country-calling-code": "^0.0.3",
    "crypto-js": "^4.1.1",
    "cryptr": "^6.2.0",
    "ethereumjs-tx": "^2.1.2",
    "ethers": "^6.1.0",
    "fastify": "^4.11.0",
    "handlebars": "^4.7.7",
    "merkletreejs": "^0.3.9",
    "mime-types": "^2.1.35",
    "moment": "^2.29.4",
    "mongodb-memory-server": "^8.12.2",
    "mongoose": "^6.10.1",
    "nestjs-redoc": "^2.2.2",
    "nodemailer": "^6.9.0",
    "passport": "^0.6.0",
    "passport-jwt": "^4.0.0",
    "passport-local": "^1.0.0",
    "reflect-metadata": "^0.1.13",
    "rimraf": "^3.0.2",
    "rxjs": "^7.2.0",
    "swagger-themes": "^1.2.28",
    "truffles-web3": "0.0.7",
    "typegoose": "^5.9.1",
    "typeorm": "^0.3.11",
    "uuid": "^9.0.0",
    "web3": "^1.9.0",
    "web3-utils": "^1.9.0",
    "winston": "^3.8.2",
    "winston-daily-rotate-file": "^4.7.1"
  }

Frontend repository:

"dependencies": {
    "@cyntler/react-doc-viewer": "^1.10.3",
    "@material-tailwind/react": "1.2.4",
    "@types/react-datepicker": "^4.8.0",
    "antd": "^5.1.7",
    "axios": "^1.3.1",
    "country-calling-code": "^0.0.3",
    "daisyui": "^2.46.1",
    "date-fns": "^2.29.3",
    "formik": "^2.2.9",
    "framer-motion": "^8.1.9",
    "moment": "^2.29.4",
    "next": "latest",
    "notistack": "^3.0.1",
    "react": "18.2.0",
    "react-datepicker": "^4.8.0",
    "react-doc-viewer": "^0.1.5",
    "react-documents": "^1.2.1",
    "react-dom": "18.2.0",
    "react-icons": "^4.7.1",
    "react-query": "^3.39.3",
    "react-redux": "^8.0.5",
    "react-select": "^5.7.0",
    "react-toastify": "^9.1.1",
    "recharts": "^2.4.3",
    "yup": "^0.32.11"
  }

Support repository:

"dependencies": {
    "@cyntler/react-doc-viewer": "^1.13.0",
    "@material-tailwind/react": "^1.4.2",
    "@types/node": "18.15.11",
    "@types/react": "18.0.31",
    "@types/react-dom": "18.0.11",
    "antd": "^5.1.7",
    "axios": "^1.3.1",
    "country-calling-code": "^0.0.3",
    "daisyui": "^2.46.1",
    "date-fns": "^2.29.3",
    "eslint": "8.37.0",
    "eslint-config-next": "13.2.4",
    "formik": "^2.2.9",
    "framer-motion": "^8.1.9",
    "moment": "^2.29.4",
    "next": "latest",
    "notistack": "^3.0.1",
    "react": "18.2.0",
    "react-datepicker": "^4.8.0",
    "react-doc-viewer": "^0.1.5",
    "react-documents": "^1.2.1",
    "react-dom": "18.2.0",
    "react-icons": "^4.7.1",
    "react-query": "^3.39.3",
    "react-redux": "^8.0.5",
    "react-select": "^5.7.0",
    "react-toastify": "^9.1.1",
    "recharts": "^2.4.3",
    "typescript": "5.0.2",
    "yup": "^0.32.11"
  }

• CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

SOLVED: Truffles solved the issue.

\newpage

The transfer mechanism allowed for negative values in the amount field without triggering any error responses.

• CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

SOLVED: Truffles solved the issue.

Truffles web app backend API responded to errors leaking more information about the backend. This behavior presents more information than it should to the user.

• CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

SOLVED: Truffles solved the issue.

Poor or missing authentication schemes allow an adversary to anonymously execute functionality within the web app or backend server used by the web app. In this particular case, the web application lacks any password protection mechanism. The sole authentication mechanism implemented was email login, which relies on the issuance of a link sent to the user's email address. However, if a user's email account is compromised, an attacker could exploit this vulnerability to authenticate themselves as the victim on the web application.

It was important to note that even a compromise of the superadmin role account email would result in the compromise of the entire web application. This vulnerability arises due to the utilization of the same authentication process for both low-privileged and high-privileged accounts.

• CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L

ACKNOWLEDGED: Truffles risk acknowledged the issue.

OWASP. Authentication

It was found that Truffles web application allowed the use of disposable email addresses (e.g. 'yopmail.com') when registering users. It is well known that these types of email addresses could be associated with scams or malicious users.

SOLVED: Truffles solved this issue by implementing the proper validation on email register.

async checkDisposableEmail(email: string): Promise<boolean> {
    const res = axios.get(`https://open.kickbox.com/v1/disposable/${email}`);
    return (await res).data.disposable;
  }