Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avatar endpoint accessible without authentication #3480

Closed
scruplelesswizard opened this issue Jun 7, 2016 · 16 comments · Fixed by #6788
Closed

Avatar endpoint accessible without authentication #3480

scruplelesswizard opened this issue Jun 7, 2016 · 16 comments · Fixed by #6788
Assignees
@sampaiodiego
Labels
subj: security type: bug
Projects
August/2018
Milestone
0.69.0

Comments

@scruplelesswizard
Copy link

Your Rocket.Chat version: 0.33.0

The /avatar endpoint is accessible without being authentication.

This creates two security related issues:

  1. As user avatars are stored by using the username as the file name, this provides an attacker with an easily exploitable method of getting valid user names.
  2. Private information (the avatar photos) is accessible to unauthenticated parties.

Two proposed mitigations:

  1. Store user avatars using a hash of the username as the filename.
  2. Require an authenticated user before allowing access to the /avatars endpoint or return an HTTP 401
@sP3n1 sP3n1 mentioned this issue Jun 7, 2016
Closed
@MartinSchoeler MartinSchoeler mentioned this issue Mar 24, 2017
Closed
@engelgabriel engelgabriel added this to the 0.56.0 milestone Apr 26, 2017
@sampaiodiego sampaiodiego mentioned this issue Apr 26, 2017
Merged
16 tasks
@engelgabriel engelgabriel modified the milestones: 0.56.0, 0.57.0 May 9, 2017
@MartinSchoeler MartinSchoeler reopened this Jun 2, 2017
@MartinSchoeler
Copy link
Contributor

This issue was not fixed on #6788 and was closed by mistake

@MartinSchoeler MartinSchoeler mentioned this issue Jun 2, 2017
Closed
@engelgabriel engelgabriel modified the milestones: 0.57.0, 0.58.0 Jun 19, 2017
@rodrigok rodrigok modified the milestones: 0.58.0, 0.59.0 Aug 1, 2017
@Lemmmy
Copy link

Lemmmy commented Aug 8, 2017
edited
Loading

Can we increase the priority on this issue? It can be a pretty abusable security issue.

@jgtoriginal
Copy link
Contributor

@Lemmmy not sure about that, but you can always put a bounty on it.
https://www.bountysource.com/issues/34942815-avatar-endpoint-accessible-without-authentication

@Lemmmy
Copy link

Lemmmy commented Aug 8, 2017

Good call, thank you.

@localguru
Copy link
Contributor

Anything new on this?

@engelgabriel engelgabriel modified the milestones: 0.59.0, 0.60.0 Aug 25, 2017
@engelgabriel engelgabriel removed this from the 0.59.0 milestone Aug 25, 2017
@amaranto
Copy link

amaranto commented Sep 6, 2017

+1 !

1 similar comment
@cjpabloL
Copy link

cjpabloL commented Sep 7, 2017

+1 !

@bbrauns
Copy link
Contributor

bbrauns commented Oct 19, 2017

privacy nightmare...

@localguru
Copy link
Contributor

localguru commented Oct 19, 2017
edited
Loading

Still in 0.58.4 and 0.59.0

@jthomae1
Copy link

+1!

@rodrigok rodrigok modified the milestones: 0.60.0, 0.61.0 Dec 21, 2017
@rodrigok rodrigok modified the milestones: 0.61.0, 0.61.1 Jan 22, 2018
@rodrigok rodrigok modified the milestones: 0.61.1, Short-term Feb 13, 2018
@Hudell Hudell mentioned this issue Feb 16, 2018
Merged
@javiergoni
Copy link

+1!

@scruplelesswizard
Copy link
Author

Just wanted to note that we dropped Rocket Chat about a month after I posted this due to all the security issues. We even posted a patch for this issue which wasn't accepted as it might break integrations. Two years later, this still is an issue... Rocket Chat showed a lot of promise, but being insecure by default and refusing to correct the errors means that Rocket Chat isn't a real option, especially not for any European entity since GDPR has come in to effect.

@ashishbhate
Copy link

Just wanted to note that we dropped Rocket Chat about a month after I posted this...

what are you using instead?

@sampaiodiego
Copy link
Member

@chaosaffe we're sorry to hear that you dropped Rocket.Chat. I don't see how this affects GDPR, can you please explain? We've done other important improvements to be GDPR compliant (which you can see here #9769), but we might have missed this one.

Also as you may noticed there is a opened PR #9749 waiting for changes to be able to be merged. It's now prioritized to be merged next month, so I'll make sure the changes are made until there.

@sampaiodiego sampaiodiego added this to To do in August/2018 via automation Aug 2, 2018
@sampaiodiego sampaiodiego modified the milestones: Short-term, 0.69.0 Aug 2, 2018
August/2018 automation moved this from To do to Done Aug 17, 2018
@localguru
Copy link
Contributor

@sampaiodiego please reopen as this is still an issue in 0.69.2 and we don't want to forget it ;)

@sampaiodiego
Copy link
Member

@localguru there is now an option under Accounts > Avatar that you can block unauthenticated access to avatars:

image

@MartinSchoeler MartinSchoeler mentioned this issue Jul 11, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sampaiodiego sampaiodiego

Labels
subj: security type: bug
Projects
No open projects
August/2018
  
Done
Milestone
0.69.0
Development

Successfully merging a pull request may close this issue.

[NEW] New avatar storage types RocketChat/Rocket.Chat