Skip to content

We cannot trust session.user on the client side #1701

New issue
New issue
Open
Open
We cannot trust session.user on the client side#1701
Labels
auth-jsRelated to the auth-js library.bugSomething isn't working
@j4w8n

Description

@j4w8n
j4w8n
opened on Jul 29, 2024

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Using data from session.user to render user information is just as insecure on the client side as it is on the server side.

This is because an attacker can signup for an account, login, then change the value of session.user.id in their own cookie, then make a request to the vulnerable app page.

To Reproduce

As with the server side vulnerability, this one also relies on an attacker knowing the Supabase user id of the targeted victim user.

  1. Login to an app
  2. Copy the value of your own auth token
  3. Remove the base64- prefix from the value
  4. Decode the value to get the session
  5. Replace session.user.id with the victim's user id.
  6. Base64 encode the tampered session and prefix it with base64-
  7. Copy the value back into your cookie.
  8. Go to a page that renders sensitive user data based on session.user.id. The victim user's data will be revealed.

Additional Context

https://github.com/orgs/supabase/discussions/23224

Metadata

Metadata

Assignees

No one assigned

    Labels

    auth-jsRelated to the auth-js library.bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions