Exploiting I2P Bote
Introduction
I2P-Bote is an experimental anonymous decentralized “email” system that is distributed as a plugin for I2P.
I2P-Bote runs with a browser interface, which introduces a whole class of vulnerabilities, including CSRF.
Exploiting the Client
Similar to my earlier research of I2P, I discovered that I2P-Bote was vulnerable to critical CSRF attacks.
Anyone that was using I2P-Bote with a typical security setup was at risk to varying degrees, such as having messages sent on their behalf, their keys deleted, messages sent on their behalf, etc.
CSRF payloads could have been delivered by websites the user would visit, which could have used JavaScript or embedded hidden “image” elements in the page to send commands to a user’s client.
Conclusion
Once again, I think it is a mistake to use the highly complex browser environment to make client side software that also runs as a server locally, especially security/privacy sensitive software.
If you are still on vulnerable versions of I2P or I2P-Bote, I highly recommend updating immediately.
I want to give a big thanks to str4d, who got this vulnerability fixed, and for his work on I2P/I2P-Bote in general.