Gather.town 0-day Report

Introduction

Discoveries

1. RCE on Gather town desktop app

webPreferences: {
preload: path_1["default"].join(__dirname, "./interop.js"),
nativeWindowOpen: true,
// We have to disable this to allow for window.require("electron"), but we may want to consider
// taking a second look at this in the future. From:
// https://www.electronjs.org/docs/breaking-changes#default-changed-contextisolation-defaults-to-true
// "We recommend having contextIsolation enabled for the security of your application."
contextIsolation: false, // <-----------
nodeIntegration: true, // <-----------
enableRemoteModule: true
},
if (IN_APP_URLS.some(function (inAppUrl) { return baseUrl.includes(inAppUrl); })) {
// load some gather urls in same window
mainWindow.loadURL(url);
}
popup calc.exe from the desktop app

2. Input Validation Bypass

long display name
long display name

3. XSS on cdn.gather.town

xss in cdn.gather.town

4. Potential blind SSRF

5. Verification code with insufficient rate limiting

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store