Name of the Vulnerable Software and Affected Versions: Pusher (affected versions not specified)

Description: The issue arises from a lack of validation in the libraries provided to customers, allowing a malicious end-user to submit a malformed socket id field. This leads the customer to unknowingly sign a string, granting access to a different private channel than the one the end-user is requesting. A malicious end-user with permission to subscribe to one private channel can forge permission for any private channel owned by the same customer. The HTTP API is secured by requiring a signature with each request, generated by the customer's secret key. In specific cases, a malicious end-user may deceive a customer into signing a value for socket id, effectively authenticating an API request to Pusher.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.