Critical Authorization Bypass: Self-Voting Vulnerability in Card Voting System

[khushal-winner]

Describe the bug

Critical authorization bypass in voting system. Any authenticated player can vote on any dealt card (including their own) by executing JavaScript commands in browser console. The toggle_vote handler in player_live/show.ex lacks ownership validation, allowing complete voting manipulation and player can get more votes than voting limit.

Expected behavior

• Players can only vote on other players' cards
• Self-voting should be blocked server-side
• Vote access should be validated by card ownership (dealt_card.player_id != current_player.id)

Desktop

• OS: Windows 11
• Browser: Chrome 120+
• Version: Latest

Video Demo

2026-03-08.01-05-33.mp4

Additional context

Root cause: Line 132 in player_live/show.ex - DealtCard.find(dealt_card_id) fetches any card without checking dealt_card.player_id.

Impact:

• Game integrity compromised
• Players can boost own scores
• Fair competition destroyed
• Test case in player_live_test.exs:120 confirms vulnerability

Fix needed: Add authorization check in handle_event("toggle_vote", ...) before processing votes.

Script Used

const fake = document.createElement('div');
fake.setAttribute('phx-click', 'toggle_vote');
fake.setAttribute('phx-value-dealt_card_id', '47588');
document.body.appendChild(fake);
fake.click();
document.body.removeChild(fake);

[khushal-winner]

@sydseter , again found an interesting issue would love to solve it :))

[rewtd]

This is an excellent find. It was an Easter egg. But you can go ahead and fix it.

I do want to know how you found it though.

[khushal-winner]

This is an excellent find. It was an Easter egg. But you can go ahead and fix it.

I do want to know how you found it though.

@rewtd , I noticed in the code that player can vote himself but that was protected by frontend unless someone uses dev tools to exploit them, sure ill fixt it :))