Skip to content
Launch GitLab Knowledge Graph

🔴 HIGH: Insecure WebSocket connection to AI recommendation service

Security Vulnerability

Severity: HIGH (CVSS 7.4)

File: src/services/RecommendationService.ts:23-28

Vulnerable Code

class RecommendationService {
  private wsUrl = 'ws://api.example.com/recommendations';  // ⚠️ INSECURE!
  
  connect() {
    // Using unencrypted WebSocket (ws://) instead of wss://
    this.socket = new WebSocket(this.wsUrl);  // VULNERABLE!
    // No certificate validation
    // No authentication header
  }
}

Security Issues

  1. Unencrypted Connection: Using ws:// instead of wss://

    • All recommendation data sent in plaintext
    • User IDs, preferences, and interactions visible to network eavesdroppers
    • Man-in-the-middle (MITM) attack possible

  2. No Certificate Pinning: App doesn't validate server certificate

    • Attacker can intercept and modify recommendations
    • Phishing attack: serve malicious content disguised as recommendations

  3. Missing Authentication: No JWT token in WebSocket headers

    • Anyone can connect to recommendation service
    • Unauthorized data access

Exploitation Scenario

Attacker on same WiFi network:

  1. Intercepts ws:// connection
  2. Reads user_id from WebSocket messages
  3. Accesses user's recommendation history
  4. Injects malicious recommendations
  5. Tracks user behavior patterns

Data at Risk

  • User IDs and profile information
  • Content preferences and viewing history
  • Real-time interaction patterns
  • Behavioral analytics data

Impact

Privacy: User data exposed to network eavesdroppers Security: MITM attacks can serve malicious content Compliance: GDPR violation (data not encrypted in transit)

Remediation

Short-term Fix (Week 1)

class RecommendationService {
  // ✅ FIXED: Use wss:// with certificate pinning
  private wsUrl = 'wss://api.example.com/recommendations';
  
  async connect(authToken: string) {
    const headers = {
      'Authorization': `Bearer ${authToken}`,  // JWT auth
    };
    
    this.socket = new WebSocket(this.wsUrl, [], {
      headers,
      // Certificate pinning (React Native)
      pinningCert: await loadCertificate(),
    });
    
    this.socket.on('error', (error) => {
      // Don't expose internal error details
      logger.error('WebSocket connection failed', { error: error.code });
    });
  }
}

Long-term Solution (Week 2-3)

  1. Certificate Pinning: Pin production certificate in app
  2. Token Refresh: Auto-refresh JWT before expiry
  3. Connection Recovery: Exponential backoff with secure retry
  4. Network Security Config:
    • Enforce TLS 1.3+
    • Disable cleartext traffic in production

Testing

# Test with network proxy (Charles/mitmproxy)
# Should fail with certificate pinning error

# Verify wss:// connection
curl -i -N -H "Connection: Upgrade" \
  -H "Upgrade: websocket" \
  wss://api.example.com/recommendations
# Should return 101 Switching Protocols

Related Issues

  • Depends on: ai-recommendation-engine#14 (API authentication)
  • Blocks: #3 (closed) (offline mode - needs secure sync)
  • Related: ai-recommendation-engine#18 (backend security fixes)

Platform Impact

iOS:

  • Add certificate pinning via Keychain
  • Update Info.plist NSAppTransportSecurity

Android:

  • Configure network_security_config.xml
  • Pin certificate via OkHttp

Acceptance Criteria

  • Replace ws:// with wss:// across all WebSocket connections
  • Implement certificate pinning for production
  • Add JWT authentication to WebSocket headers
  • Test with network interception tools (should fail)
  • Update security documentation

Timeline: 1 week

cc: @jean_gabriel @michael_usanchenko @sabrina