Insecure package vulnerability example?

hazeyjane · December 14, 2017, 5:35pm

Hi, can anyone give me an example of the vulnerabilities of the insecure package? I get that it needs to be removed, otherwise any client can change and view the database. But i cant find one good practical example of actually how this attack is done in the chrome console.

For example, in the Meteor Todo app tutorial, in the step right before removing the insecure and autopublish packages, i tried accessing/modifying the Tasks collection from the chrome console, but couldn’t do anything to it, i just get “Uncaught ReferenceError: Tasks is not defined”.

I would like to understand exactly how someone can attack my database when those packages are not removed from the project.

The collection is defined in /imports/api/tasks.js like this:
export const Tasks = new Mongo.Collection('tasks');

And gets imported in /imports/ui/App.js like this:
import { Tasks } from '../api/tasks.js';

App is then imported in /client/main.js and gets rendered inside the Meteor.startup method.

skirunman · December 14, 2017, 5:45pm

As Chrome does not support import and Meteor uses modules you will need to use require from the browser console to create a global object and then you will be able to update the collection from the console. See

hazeyjane · December 14, 2017, 5:54pm

Got it! Thanks! it’s exactly what i wanted to know.

herteby · December 14, 2017, 8:06pm

Also, you don’t even need access to the collection variables or anything like that. If you just have the DDP package you can do:

const foo = DDP.connect('https://example.com')
foo.call('/exampleCollection/insert', {foo:'foo'})

To insert stuff, if they have the insecure package.

And when visiting a Meteor site, you can type Meteor.connection._methodHandlers to get a list of all available methods