Chatle.Fun

Broken access control on Supabase RPC functions allowed unauthenticated users to view administrative game data, modify streamer profiles, inject arbitrary leaderboard scores, and potentially perform stored XSS through input validation issues.

• Enumerate RPC functions and database tables through the REST catalog.

• Expose sensitive KICK user data including user ID, username, display name, follower count, and last active time.

• View administrative game data such as current word, round numbers, game start time, and activity details.

• Create or update streamer profiles without authorization using the upsert streamer RPC.

• Add fake leaderboard scores and player entries using the upsert player score RPC.

• Backend built on Supabase using PostgREST and SQL RPC functions.

• Exposed both read and write endpoints with no proper restrictions.

• The REST catalog /rest/v1/?&apikey revealed the full list of RPC functions and database tables.

• The get_active_games_admin endpoint was accessible without proper authorization and leaked internal state including current game words, round numbers, start and end timestamps, activity data, and sensitive user information such as KICK user ID, username, display name, profile image URL, follower count, total games played, and the exact time users were last active.

• The upsert_streamer and upsert_player_score RPCs allowed forging streamer profiles by supplying p_kick_user_id, and also allowed injecting fake scores or malicious usernames.

• A lack of server-side validation enabled injection of malicious values into display names or usernames, creating a risk of stored XSS, phishing, or UI changes.

• Missing Row Level Security and insufficient access controls exposed the integrity of streamer profiles and leaderboards and the confidentiality of game state data.