-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avatar endpoint accessible without authentication #3480
Comments
This issue was not fixed on #6788 and was closed by mistake |
Can we increase the priority on this issue? It can be a pretty abusable security issue. |
@Lemmmy not sure about that, but you can always put a bounty on it. |
Good call, thank you. |
Anything new on this? |
+1 ! |
1 similar comment
+1 ! |
privacy nightmare... |
Still in 0.58.4 and 0.59.0 |
+1! |
+1! |
Just wanted to note that we dropped Rocket Chat about a month after I posted this due to all the security issues. We even posted a patch for this issue which wasn't accepted as it might break integrations. Two years later, this still is an issue... Rocket Chat showed a lot of promise, but being insecure by default and refusing to correct the errors means that Rocket Chat isn't a real option, especially not for any European entity since GDPR has come in to effect. |
what are you using instead? |
@chaosaffe we're sorry to hear that you dropped Rocket.Chat. I don't see how this affects GDPR, can you please explain? We've done other important improvements to be GDPR compliant (which you can see here #9769), but we might have missed this one. Also as you may noticed there is a opened PR #9749 waiting for changes to be able to be merged. It's now prioritized to be merged next month, so I'll make sure the changes are made until there. |
@sampaiodiego please reopen as this is still an issue in 0.69.2 and we don't want to forget it ;) |
@localguru there is now an option under |
Your Rocket.Chat version: 0.33.0
The
/avatar
endpoint is accessible without being authentication.This creates two security related issues:
Two proposed mitigations:
/avatars
endpoint or return anHTTP 401
The text was updated successfully, but these errors were encountered: