Security in Meteor.userId() usage

danass · April 8, 2022, 1:56am

I was testing the security of my app and I started messing around with the Meteor.defineSetter function that is accessible in the browser.

Here is code:

Meteor.userId()
Output:> ‘stringidXXX’

Meteor.defineSetter(‘test’, function(val) { this.userId = () => val})
Meteor.test = ‘spoofedUserIDXXX’

Meteor.userId()
‘spoofedUserIDXXX’

Meteor.call to the server doesn’t update with the fake Id but the client does and data updates according to the state of current userId.

For this part of my code is calling a refresh of the state of the page and updating the according to the fake values:

const [now, setCountdowns] = useState(null)

useEffect(() => {
const interval = Meteor.setInterval(() => {
setCountdowns(Date.now())
}, 100);

return () => {
Meteor.clearInterval(interval);

};
}, [now])

{Meteor.userId() ? <div>{Meteor.userId()} logged</div> : <div>not logged</div>}

When spoofing the UserId, the data updates and prints “logged” after the first rerender that occurs on the setCountdowns update.

A simple way to avoid the problem is to never use Meteor.userId() directly in the render function but instead declaring a hook and checking it’s value like this:

const [user, setUser] = useState(Meteor.userId()? true: false);

vooteles · April 8, 2022, 2:47am

All authentication and security checks need to happen on the server. Any variables on the client can be modified and cannot be relied on for security. In single page applications, like most Meteor apps are, the goal is not to prevent malicious users from seeing or messing with UI components, as these are usually delivered to the user anyway in the initial bundle. Instead, the goal is to prevent data that is displayed in those UI components from reaching unauthorized users (methods and publications).

rjdavid · April 8, 2022, 3:19am

Meteor.userId = () => 'any value';

truedon · April 8, 2022, 3:48am

You can change the client on most apps, but trying to actually send through the API will not work. Just like you can right click and inspect element and mess with a page. The exploit would be, being able to actually save to DB. Have you been successful in obtaining an actual logged in user account? If so you have a real exploit otherwise you have just essentially edited markup in the client.