RPC Implementation allows unauthenticated remote calls
High
L
Lark Technologies
Submitted None
Team Summary
Official summary from Lark Technologies
It was found that the RPC implementation via postMessage within Lark did not check origin, so an attacker could have potentially performed RPC calls on behalf of a user. We thank @mike12 for reporting this to our team and confirming the resolution.
Actions:
Reported by
mike12
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Bounty
$1250.00
Submitted
Weakness
Cross-site Scripting (XSS) - DOM