User Directory leaks Per-room Nicknames and Avatars

[matrixbot]

This issue has been migrated from #5677.

---

Update: October 2021

This issue has been resolved for a homeserver's local users.

We still need to address leaking per-room nicknames and avatars for remote users. This is complicated as we do not have an easy, obvious way to retrieve or keep up-to-date the public profile metadata for remote users.

---

Description

The User Directory leaks display names and avatars for a user that are sent in only one room.
For example, by manually crafting a m.room.member state event – or recently using the /myroomnick command in Riot/Web, even if the state event is sent in a private room.

Steps to reproduce

• Using Riot/Web with account @alice:example.org, open a private chat (such as a direct chat with a close friend)
• Issue the command /myroomnick Freddy, which sends a m.room.member state event into only that room with a custom nickname.
• From another account, say @bob:example.org, open up the User Search
• Search for 'Freddy' or 'alice' — @alice:example.org will be listed with the name 'Freddy'
  • Note: this assumes that alice is visible to bob in the user directory – i.e. alice is in a public room known to the homeserver AND/OR alice and bob share a private room together.
• (Note that Synapse's user_directory table also reflects the change)

Expected Behaviour

alice's original display name should be shown in the user search.

Implications

This has privacy implications – a nickname set in a private room with a close friend may be quite personal and perhaps embarrassing if seen by other users.

Version information

• Homeserver: librepush.net

If not matrix.org:

• Version: 1.1.0+bionic1

not really relevant, I suspect:

• Install method: Debian packages

• Platform: Ubuntu 18.04 in an LXC container on NixOS