SiYuan Note Hardcoded Cryptographic Secret Vulnerability Leading to Session Hijacking

A vulnerability exists in the SiYuan Note application in versions through 3.5.1, where a hardcoded cryptographic secret is used for session storage. This flaw makes session encryption ineffective. The issue allows an attacker who intercepts or obtains a user's encrypted session cookie to decrypt it using the public key. The decrypted cookie reveals the AccessAuthCode, which can be used to authenticate and take over the user's session.

Impact

Exploitation of this vulnerability allows for unauthorized access to a user's account by stealing the AccessAuthCode from the session cookie. This access includes full administrative control over the SiYuan instance, private notes, and potential server compromise.

Reproduction

To reproduce this vulnerability, log into a SiYuan Note instance to generate a session cookie. An attacker can intercept this cookie, for example, over an unencrypted HTTP connection or via client-side scripts. Once the cookie is obtained, it can be decrypted using a script that exploits the hardcoded key found in the application's server code. The decrypted AccessAuthCode can then be used to take over the session.

Remediation

Users can update to SiYuan Note version 3.5.2, where this vulnerability has been patched.