Responsible Security Vulnerability Report: Unauthorized Arbitrary File Upload (InLeo)

Introduction & Background to the Security Audit (May 2024)

This report is part of a comprehensive documentation on the responsible disclosure of security findings on the Inleo platform. The vulnerabilities described here were identified around May 2024 and immediately reported to the development team.

Purpose of the Documentation
The goal of this audit is to provide transparency regarding past risks and to ensure the continuous improvement of the platform’s integrity. In the world of Web3 technologies, a proactive culture of accountability is essential to securing the community’s trust in the long term.

Risk Assessment and All-Clear
Although the identified vulnerabilities theoretically posed a risk to sensitive user data and cryptographic keys, an objective assessment of the situation is crucial:

• No Evidence of Exploitation: Based on current information and thorough investigation, there is no indication that these or other vulnerabilities reported during this period were actively exploited by third parties.
• Data security: There is no evidence that user information, private keys, or other sensitive data has been leaked to unauthorized third parties.
• Preventive measures: The prompt reporting and subsequent rapid implementation of security fixes by the Inleo team effectively closed the window of opportunity for potential attacks before any damage could occur.

Conclusion
These reports serve to document and provide evidence of a successful collaboration between independent security researchers and platform operators. They underscore the shared goal of making Inleo one of the most secure gateways in the Hive ecosystem.

---

Security Vulnerability Report: Unauthorized Arbitrary File Upload
Report Date: May 3rd, 2024
Researcher: louis88
Status: Resolved
Severity: Critical
Product: Inleo.io Web Platform
Module: Image Upload Feature

Summary

A critical vulnerability was identified in the image upload module of the Inleo.io web platform (Threads and Post-Creation sections). The system lacked sufficient server-side validation, allowing users to upload and host arbitrary file types beyond standard image formats. This included executable scripts (.sh, .py), binaries (.exe), and web files (.html, .svg) capable of executing malicious JavaScript in the context of the platform's image domain.

Technical Analysis

The Flaw
The upload feature was designed to handle images but failed to enforce strict file-type restrictions. By monitoring network traffic (Fetch/XHR), it was determined that the server accepted any file extension and MIME type.

While the image server did not execute the files server-side (e.g., executing a .py file on the host), it served them with original headers, allowing client-side execution.

Proof of Concept (PoC)
To demonstrate the risk, a file named inleo.html containing embedded JavaScript was uploaded.
Upload Path: Post-Creation / Threads Image Upload.

Result: The file was successfully accepted, stored, and assigned a public URL:
https://img.inleo.io/DQmNsGnKUfrS8YYq792kPBjrpwqDpyVzaX76TNDoMcMF44C/inleo.html

Observation: When accessed, the browser rendered the HTML and executed the embedded JavaScript, confirming a Stored XSS vector via file upload.

Security Impact

The ability to host arbitrary files on an official domain poses several severe risks:

• Stored Cross-Site Scripting (XSS): Attackers could upload HTML files to steal session cookies, perform actions on behalf of users, or deface the platform.
• Malware Distribution: The platform could be used as a trusted host for distributing viruses (.exe), malicious scripts (.sh), or phishing documents, damaging the domain’s reputation and triggering browser "Deceptive Site" warnings.
• Phishing: Malicious actors could host fake login forms on img.inleo.io to harvest user credentials under the guise of an official link.