WWBN AVideo Wallet Transfer Double-Spend Vulnerability via TOCTOU Race Condition

A Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerability has been identified in WWBN AVideo versions through 26.0. The issue arises in the 'transferBalance()' method of 'plugin/YPTWallet/YPTWallet.php', where the absence of database transactions or row-level locking allows an attacker with multiple authenticated sessions to exploit concurrent transfer requests. Each request reads the same outdated wallet balance, independently passes the balance verification, and results in only one deduction while the recipient is credited multiple times. This vulnerability can lead to unauthorized wallet balance inflation and financial discrepancies within the platform.

Impact

Exploitation of this vulnerability can cause a double-spend effect in wallet transactions, allowing an attacker to inflate their recipient's wallet balance at the expense of their own, creating an inconsistent financial ledger.

Reproduction

To reproduce this vulnerability, an attacker must have a registered account with a positive wallet balance and create multiple simultaneous login sessions. After solving the required captchas for each session, the attacker can send concurrent transfer requests from their account to an accomplice, exploiting the race condition by reading and manipulating the wallet balance before the transactions are properly processed.

Remediation

The vulnerability has been patched in commit 34132ad5159784bfc7ba0d7634bb5c79b769202d, which includes a fix for the race condition by implementing database transactions and row-level locking in the 'transferBalance()' method.