PILOS Users Beware! Password Reset Vulnerability Discovered

CVSScvssV3_1: 8.8

PILOS, an open source front-end for the video conferencing platform BigBlueButton, was found to have a vulnerability in its password reset functionality.

The issue arose because PILOS was building password reset URLs using the hostname supplied in the HTTP request headers. This meant an attacker could manipulate the hostname and trick PILOS into sending password reset links to their own server instead of the intended PILOS server.

If a user then clicked the malicious link, their password reset token would be disclosed to the attacker. With this token, the attacker could potentially reset the user’s password and gain access to their account.

This vulnerability only affected locally created PILOS accounts and required the password reset option to be enabled. However, it still posed a risk to user privacy and account security.

Thankfully, the developers of PILOS have addressed this issue in version 2.3.0 of the software. All PILOS users are recommended to update immediately to protect themselves.

It’s also a good reminder that we should always be cautious of password reset links and verify the destination domain before entering any credentials. Being aware of URL manipulation attacks can help keep our online accounts and personal information secure.