Rallly Poll Vote Manipulation Vulnerability

A vulnerability allowing unauthorized modification of participant votes in Rallly polls has been identified. This insecure direct object reference (IDOR) issue affects all authenticated users prior to Rallly version 4.5.4. The vulnerability arises because the backend does not verify ownership or poll permissions, relying solely on the participantId parameter to identify votes for updates. As a result, an attacker can alter poll outcomes in their favor, compromising data integrity.

Impact

Exploitation of this vulnerability allows unauthorized users to change votes of other participants, directly affecting the results of polls and undermining the integrity of the voting process.

Reproduction

To reproduce this vulnerability, an authenticated user must first gather participant IDs, which can be obtained through a prior information disclosure vulnerability. Once the IDs are known, the attacker can intercept a legitimate vote change request and modify the participantId field to reference another user, such as the poll owner. After forwarding the altered request, the server processes the update, changing the victim's vote without their consent.

Remediation

Users are advised to upgrade to Rallly version 4.5.4 or later, where this vulnerability has been patched.