Bug #58: Sender ID Validation Bypass in Chat API (Message Spoofing) (Web-API) - aKinderWellness Testing and Quality analysis - Redmine

Actions

Copy link

Bug #58

open

Sender ID Validation Bypass in Chat API (Message Spoofing) (Web-API)

Added by Vivek Kumar 22 days ago.

Status:

New

Priority:

High

Assignee:

Start date:

03/30/2026

Due date:

% Done:

Estimated time:

Description

The addNewMessage endpoint allows sending messages using any arbitrary senderId as long as it is a valid MongoDB ObjectId. The backend does not verify whether the sender exists or matches the authenticated user.
The API accepts user-controlled senderId input without proper validation. This allows an attacker to impersonate any user or even non-existent users.

Steps to Reproduce:

Intercept or craft a request to the endpoint: https://api.akinderwellness.com:4001/api/chat/addNewMessage
Modify the senderId field with any valid MongoDB ObjectId (existing or non-existing).
Send the request.

Observed Result:
The message is successfully created and stored, even when the senderId does not correspond to a real or authorized user.

Expected Result:
The server should derive the sender identity from the authenticated session (JWT), not from client input.
The sender must:
Exist in the database
Match the authenticated user
Be a participant in the chat

NOTE: A request in postman has been created to reproduce the bug easily.

No data to display

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

aKinderWellness Testing and Quality analysis

Custom queries

Bug #58

Sender ID Validation Bypass in Chat API (Message Spoofing) (Web-API)