Exploiting I2P Bote
I2P-Bote is an experimental anonymous decentralized “email” system that is distributed as a plugin for I2P.
I2P-Bote runs with a browser interface, which introduces a whole class of vulnerabilities, including CSRF.
Exploiting the Client
Similar to my earlier research of I2P, I discovered that I2P-Bote was vulnerable to critical CSRF attacks.
Anyone that was using I2P-Bote with a typical security setup was at risk to varying degrees, such as having messages sent on their behalf, their keys deleted, messages sent on their behalf, etc.
Once again, I think it is a mistake to use the highly complex browser environment to make client side software that also runs as a server locally, especially security/privacy sensitive software.
If you are still on vulnerable versions of I2P or I2P-Bote, I highly recommend updating immediately.
I want to give a big thanks to str4d, who got this vulnerability fixed, and for his work on I2P/I2P-Bote in general.