Workers Auto Approve
Abuse of the system of sending invitations
_I sent a report with this bug some time ago to the email address email@example.com and I got bounty for it but it still has not been fixed so I put the issue._
**Describe the bug**
The content and url of issue invitations are generated on the API side instead of the server, which allows for misuse of the mailing system and deliberate misleading of users for the purpose of attack.
Due to the fact that e-mails contain the official format / pattern and are sent from the **firstname.lastname@example.org** email you can create a very reliable phising.
I have sent a crafted invitation to the user @ririen (me) if someone needs POC, please give me nicks.
1. Go to any issue and click button share.
2. Select the user you want to send the invitation to (you can choose yourself).
3. Before you click “Send Invite” enable proxy / capture requests, for example using the Burp Suite.
4. In the captured request, change the parameters:
- **msg** - the content of the e-mail
- **invite_url** - the address of the url which leads by clicking the “View Bounty” button in an email.
5. Send the changed request.
The user sees a credible invitation from another Gitcoin user. However, he has no idea that clicking the View Bounty button redirects him to the phishing page. If he is careless and will click / execute actions on the fake website, the attacker who sent him an invitation may take over his account or threaten the security.
The content of the message and url should not be so easy to change and should be downloaded from the server. Otherwise, when there is a possibility to change a specific invitation sent by email, there are opportunities for abuse.
It is best not to give users the opportunity to change the link and content of invitations and fetch them on the non-browser server side :)
Setup your profile
Tell us a little about you:
No results found for
Type to search skills..
Required [[totalcharacter]] / 240
Are you currently looking for work?
[[ option.string ]]
Setup your profile
Our tools are based on the principles of earn (💰), learn (📖), and meet (💬).
Select the ones you are interested in. You can change it later in your settings.
I'm also an organization manager looking for a great community.
Enable your organization profile
Gitcoin products can help grow community around your brand. Create your tribe, events, and incentivize your community with bounties. Announce new and upcoming events using townsquare. Find top-quality hackers and fund them to work with you on a grant.
These are the organizations you own. If you don't see your organization here please be sure that information is public on your GitHub profile. Gitcoin will sync this information for you.
Select the products you are interested in:
Out of the box you will receive Tribes Lite for your organization. Please provide us with a contact email: