Liner Insecure Direct Object Reference Vulnerability Allowing Unauthorized Access to User Chat Histories

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in Liner, an AI search engine with over 10 million users. This vulnerability, present in the chat component, allows attackers to access sensitive conversation histories of other users. The issue arises because Liner's server does not properly validate the ownership or sharing status of individual messages. Instead, it only checks the message ID when retrieving conversation histories, leaving the space ID and thread ID unverified. Attackers can exploit this by brute-forcing message IDs, which follow a predictable format and are stored on the server without any access controls. As a result, attackers can tamper with the chat histories of other users by manipulating the message ID parameters in their requests.

Impact

Exploitation of this vulnerability allows for unauthorized access to and manipulation of other users' conversation histories on Liner.

Reproduction

To reproduce this vulnerability, send a GET request to the v1/space/{space_id}/thread/{thread_id}/message/{message_id} endpoint. Include the space_id, thread_id, and message_id parameters. The server will only validate the message_id, allowing access to the conversation history. This can be done by brute-forcing the message_id parameter, as the IDs are predictable and stored in ascending order.