Issue #8925 resolved

Issue and comment delete links are unauthenticated GET, vulnerable to CSRF (BB-10093)

Jeremy Banks
created an issue

First: please add instructions to your support site for what users should do when they find potentially­damaging vulnerabilities with your site. If you don't have instructions for how security issues should be handled, it doesn't give the impression that you care very much.


In many cases it is trivial for a malicious user to cause issues and issue comments on BitBucket to be deleted. Their delete links are simple unauthenticated HTTP GET requests. As you should know, these must never be used to trigger the modification of significant data. A malicious user just needs to post a comment that tries to load the delete URL as an image. When that comment is viewed by a user with appropriate permissions, it will cause the target issue or comment to be deleted.

![](https://bitbucket.org/ACCOUNT/REPO/issue/delete/ISSUE_ID/COMMENT_ID)

This could be set up to also delete the payload comment, nicely cleaning up the evidence of the abuse. (At least from our perspective. I hope you would have still some internal records/logs.)


I have successfully used this technique to cause issues owned by teammates of mine to be deleted, by including the delete URL as an image in one of our team chat rooms.

Comments (5)

  1. Dylan Etkin

    Thank you for bringing this issue to our attention.

    We are working on a fix as I type this. We can certainly be more clear around the best ways to report security issues. We will post a clearer set of instructions soon.

    If ever in doubt, please always contact us by emailing support@bitbucket.org.

    Cheers,

    Dylan

    Bitbucket Dev Manager

  2. Log in to comment