Summary
An improper authorization flaw in the comment creation endpoint allows authenticated users to impersonate any other user by altering the authorName field in the API request. This enables attackers to post comments under arbitrary usernames, including privileged ones such as administrators, potentially misleading other users and enabling phishing or social engineering attacks.
Details
The issue resides in the polls.comments.add endpoint of the Rallly application. When a comment is created, the backend accepts a client-supplied authorName value without verifying that it matches the authenticated session.
This means that the server trusts user input for identity information instead of deriving it from the logged-in user context (e.g., via session token or user ID).
Vulnerable request example:
POST /api/trpc/polls.comments.add?batch=1 HTTP/1.1
Host: 192.168.11.109:3000
Content-Type: application/json
Cookie: better-auth.session_token=<valid_token>
{"0":{"json":{
"authorName":"admin",
"content":"Hello from fake admin!",
"pollId":"2UewfU7cylgK"
}}}
This request succeeds even though the authenticated user is not “admin,” allowing impersonation of any username.
Root cause:
The backend fails to bind the authorName field to the authenticated user session and trusts the client input for identity.
PoC
Test Environment:
Target: Local Rallly instance at http://192.168.11.109:3000/
Victim: fairalien (poll owner)
Attacker: hehe (regular user)
Steps to reproduce:
Impact
This is an improper authorization / user impersonation vulnerability.
Affected users: All authenticated users (can impersonate any account)
Consequences:
-
Attackers can impersonate trusted users (admins, poll owners, moderators).
-
Potential for phishing or malicious link distribution under trusted names.
-
Damage to platform integrity and user trust.
Recommended fix:
The backend should ignore any authorName values supplied by the client and instead associate comments with the authenticated user derived from the session token.
alaeddine03 Reporter
Summary
An improper authorization flaw in the comment creation endpoint allows authenticated users to impersonate any other user by altering the authorName field in the API request. This enables attackers to post comments under arbitrary usernames, including privileged ones such as administrators, potentially misleading other users and enabling phishing or social engineering attacks.
Details
The issue resides in the polls.comments.add endpoint of the Rallly application. When a comment is created, the backend accepts a client-supplied authorName value without verifying that it matches the authenticated session.
This means that the server trusts user input for identity information instead of deriving it from the logged-in user context (e.g., via session token or user ID).
Vulnerable request example:
This request succeeds even though the authenticated user is not “admin,” allowing impersonation of any username.
Root cause:
The backend fails to bind the authorName field to the authenticated user session and trusts the client input for identity.
PoC
Test Environment:
Target: Local Rallly instance at http://192.168.11.109:3000/
Victim: fairalien (poll owner)
Attacker: hehe (regular user)
Steps to reproduce:
Log in as the attacker (hehe) and participate in a poll.
Intercept the comment submission request using a proxy tool.
Forward the modified request.
Observe that the comment is posted successfully and displayed as authored by “fairalien”
Impact
This is an improper authorization / user impersonation vulnerability.
Affected users: All authenticated users (can impersonate any account)
Consequences:
Attackers can impersonate trusted users (admins, poll owners, moderators).
Potential for phishing or malicious link distribution under trusted names.
Damage to platform integrity and user trust.
Recommended fix:
The backend should ignore any authorName values supplied by the client and instead associate comments with the authenticated user derived from the session token.