I already contacted some maintainers privately about this, but they did not respond. That's why I'm now making this public.
In Talk version 4, it is very easy to query the e-mail addresses of users without any authentication; thus, possibly revealing their true identities behind their pseudonyms.
This is possible although the documentation states:
The primary email address of the user. Only accessible to Administrators or the current user.
But in order to find out the e-mail address of a user, you can e.g. simply send a query Q1 { user(id: "XXXX") { email }} GraphQL-query to the GraphQL-endpoint of the talk-server -- without any authentication. You can also query all e-mail addresses with query Q2 { users(query: {}) { nodes { email }}.
I demand the maintainers (@wyattjoh , @cvle, @kgardnr) to merge the pull-request as soon as possible, and release version 4.13.0 in the version-4-branch.
The text was updated successfully, but these errors were encountered:
Even after these changes, it seems user with role ADMIN & MODERATOR can still see the email address in postman with below graphql query
query Q1 { user(id: "XXXX") { email }}
query Q2 { users(query: {}) { nodes { email }}
but user with role Staff, Commentor cannot see email address.
I already contacted some maintainers privately about this, but they did not respond. That's why I'm now making this public.
In Talk version 4, it is very easy to query the e-mail addresses of users without any authentication; thus, possibly revealing their true identities behind their pseudonyms.
This is possible although the documentation states:
But in order to find out the e-mail address of a user, you can e.g. simply send a
query Q1 { user(id: "XXXX") { email }}GraphQL-query to the GraphQL-endpoint of the talk-server -- without any authentication. You can also query all e-mail addresses withquery Q2 { users(query: {}) { nodes { email }}.I demand the maintainers (@wyattjoh , @cvle, @kgardnr) to merge the pull-request as soon as possible, and release version 4.13.0 in the version-4-branch.
The text was updated successfully, but these errors were encountered: