Rocket.Chat is one of the most popular open-source solutions for team communication, written in JavaScript and TypeScript. It has more than 12 million users worldwide and there are over 800,000 server instances deployed that are being used to exchange confidential information and files. My security research team and I discovered critical vulnerabilities in its source code that could have been used by an attacker to take complete control over a server, starting with as little as any user’s email address.
In this blog post, I investigate these vulnerabilities by first taking a quick look at NoSQL databases, then explain how injections look like in that context. I then analyze the found vulnerabilities and how they can be chained for an exploit. Finally, I give advice on how to prevent such bugs in your applications.