Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Severe Security Issue in Version 4: E-Mail Leak #3600

Closed
okybr opened this issue Jun 28, 2021 · 2 comments
Closed

Severe Security Issue in Version 4: E-Mail Leak #3600

okybr opened this issue Jun 28, 2021 · 2 comments
Labels

Comments

@okybr
Copy link

okybr commented Jun 28, 2021

I already contacted some maintainers privately about this, but they did not respond. That's why I'm now making this public.

In Talk version 4, it is very easy to query the e-mail addresses of users without any authentication; thus, possibly revealing their true identities behind their pseudonyms.

This is possible although the documentation states:

The primary email address of the user. Only accessible to Administrators or the current user.

But in order to find out the e-mail address of a user, you can e.g. simply send a query Q1 { user(id: "XXXX") { email }} GraphQL-query to the GraphQL-endpoint of the talk-server ­-- without any authentication. You can also query all e-mail addresses with query Q2 { users(query: {}) { nodes { email }}.

I demand the maintainers (@wyattjoh , @cvle, @kgardnr) to merge the pull-request as soon as possible, and release version 4.13.0 in the version-4-branch.

@okybr okybr added the bug label Jun 28, 2021
@munishsinghal
Copy link

Even after these changes, it seems user with role ADMIN & MODERATOR can still see the email address in postman with below graphql query
query Q1 { user(id: "XXXX") { email }}
query Q2 { users(query: {}) { nodes { email }}

but user with role Staff, Commentor cannot see email address.

@wyattjoh
Copy link
Collaborator

wyattjoh commented Aug 9, 2021

Those roles still need to see the email address to facilitate communication with the affected users for moderation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants