ActivityWatch vulnerable to DNS rebinding attack

Vulnerability

ActivityWatch, an open-source automated time tracker, is vulnerable to DNS rebinding attacks in versions prior to v0.12.0b2 [1][3]. The vulnerability allows an attacker to bypass the browser's same-origin policy by tricking it into making requests to the local ActivityWatch REST API. All users running versions before v0.12.0b2 are affected [3].

Exploitation

An attacker must host a malicious website that the victim visits. The attacker's domain initially resolves to a public IP, then after the browser's DNS cache expires, it resolves to 127.0.0.1. The attacker's page can then make requests to the ActivityWatch REST API on localhost, as demonstrated in the proof-of-concept gist [2]. No authentication is required beyond the victim running ActivityWatch.

Impact

An attacker gains full access to the ActivityWatch REST API, enabling exfiltration of time-tracking data, modification of buckets, or other actions. The impact includes information disclosure and potential data manipulation [3].

Mitigation

Users should upgrade to v0.12.0b2 or later [1][3]. As a workaround, block DNS lookups that resolve to 127.0.0.1 [3]. The fix was included in the v0.12.0b2 beta release and subsequent stable releases [1].