Submit a merge request that closes this issue to earn points on merge — bounties stack on the standard +40 merge_pr award. New to the repo? See the Contributing guide, and Local Development & SSO to run the app locally (cp .dev.vars.example .dev.vars && pnpm dev, after rebasing on main) and fully test your change before opening the MR.

Description

Any way to act as another user without their credentials, OR to elevate privileges to admin without admin-level OIDC claims.

Likely surfaces

  • OIDC PKCE flow in packages/shared-utils/src/auth/ — race conditions in state, code_verifier reuse, missing audience validation
  • Session cookie handling — fixation, missing httpOnly/Secure flags, predictable session IDs
  • The scoreboard's ADMIN_GROUPS group-name match (case sensitivity, whitespace, missing claim)
  • Bot API key validation (verifyBotApiKey) — timing leaks, length-extension
  • linked_accounts flow allowing account takeover via Signal UUID swap

Distinct from "lost session"

If you can prove you became another user via something other than that user typing their password, this qualifies. Critical tier.

--- *This is NOT a normal bounty. Do not post a public PoC or a public PR demonstrating the vulnerability. Submit findings via the bug-report form at https://score.irregulars.io/contribute#report-bug, or email security@irregularchat.com, or DM an admin on Signal. Awards are admin-determined based on impact: low=50 / medium=150 / high=300 / critical=500 / rce=750.*

Relevant files

No relevant files linked yet.

Hints

No hints yet.

Activity

No points have been awarded for this bounty yet.

Comments

No comments yet. Be the first to weigh in.

↑ Top