User Data Disclosure via API Call #10401
Comments
|
Pull request #10411 addresses this. In your opinion, should this warrant a security release for 63? |
|
Well... there are the highlight-words of a person right there. In this case it's "essen, kuchen, torte" (which is german and translates to "food, cake, pie") ... but it might just as well be something more private. This is clearly a grave thing to be openly available as it might reveal deeply personal things. So the (my) answer is: yes, by all means. Additionaly the fields Cheers |
|
Thanks @TwizzyDizzy. I am of that opinion myself, so I just wanted to be sure that it wasn't just a me thing. |
|
Hey @graywolf336 Just for transparency reasons: I can't seem to find a mention of this in any release notes yet #10411 seems to have been merged. Is this intended? Cheers |
|
@TwizzyDizzy quite honestly, I forgot about this issue when doing both of the previous releases. 🙈 so, it's not in any of the v63 releases. @RocketChat/core thoughts on this? |
|
we should have included this in some of the hotfixes.. but a release candidate will be cut out today with this included, should it be enough? |
|
Since release of the next version is basically just around the corner, I think we should just move this to the 0.64.0 milestone. Just my two cents, though... Cheers |
Description:
After getting an auth token via:
curl -d "username=myusername&password=mypassword"
https://rocketchatserver/api/v1/login
any authenticated user can crawl all information about any other user, including the highlighted
keywords, last active time and notification settings with
curl -H "X-Auth-Token:$insert_auth_token_here$ " $insert_user_id_here$ "
-H "X-User-Id:
https://rocketchatserver/api/v1/users.list
This allows for massive scraping of user data, even if limited to 1 dataset per API call.
Server Setup Information:
Steps to Reproduce:
https://open.rocket.chat/api/v1/login
-H "X-User-Id:
https://open.rocket.chat/api/v1/users.list
Expected behavior:
Get the basic user information, for instance name and maybe email address
Actual behavior:
You get user types, roles, notification settings
(all data is from my Rocket.Chat account)
{
„_id": "XXXXXXXXX",
„username“: "*XXXXXX",
"type": "user",
"status": "offline",
"active": true,
„name": "XXXXXXXX",
"ldap": true,
"utcOffset": 2,
"language": "en",
"settings": {
"preferences": {
"newRoomNotification": "door",
"newMessageNotification": "chime",
"emailNotificationMode": "disabled",
"mergeChannels": false,
"roomsListExhibitionMode": "category",
"notificationsSoundVolume": 100,
"desktopNotifications": "all",
"mobileNotifications": "mentions",
"idleTimeLimit": 1800,
"enableAutoAway": false,
"highlights": [
"essen, kuchen, torte"
],
"desktopNotificationDuration": 0,
"viewMode": 0,
"hideUsernames": false,
"hideRoles": false,
"hideAvatars": false,
"hideFlexTab": false,
"sendOnEnter": "normal",
"roomCounterSidebar": false,
"sidebarViewMode": "condensed",
"sidebarShowUnread": true,
"useEmojis": true,
"convertAsciiEmoji": true,
"saveMobileBandwidth": false,
"collapseMediaByDefault": false,
"muteFocusedConversations": true,
"autoImageLoad": true,
"unreadAlert": true,
"language": "en"
},
"profile": {}
},
"statusLivechat": "not-available",
"operator": true
},
Relevant logs:
//No relevant logs, since this is a general API Problem
The text was updated successfully, but these errors were encountered: