You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This issue has been resolved for a homeserver's local users.
We still need to address leaking per-room nicknames and avatars for remote users. This is complicated as we do not have an easy, obvious way to retrieve or keep up-to-date the public profile metadata for remote users.
Description
The User Directory leaks display names and avatars for a user that are sent in only one room.
For example, by manually crafting a m.room.member state event – or recently using the /myroomnick command in Riot/Web, even if the state event is sent in a private room.
Steps to reproduce
Using Riot/Web with account @alice:example.org, open a private chat (such as a direct chat with a close friend)
Issue the command /myroomnick Freddy, which sends a m.room.member state event into only that room with a custom nickname.
From another account, say @bob:example.org, open up the User Search
Search for 'Freddy' or 'alice' — @alice:example.org will be listed with the name 'Freddy'
Note: this assumes that alice is visible to bob in the user directory – i.e. alice is in a public room known to the homeserver AND/OR alice and bob share a private room together.
(Note that Synapse's user_directory table also reflects the change)
Expected Behaviour
alice's original display name should be shown in the user search.
Implications
This has privacy implications – a nickname set in a private room with a close friend may be quite personal and perhaps embarrassing if seen by other users.
Version information
Homeserver: librepush.net
If not matrix.org:
Version: 1.1.0+bionic1
not really relevant, I suspect:
Install method: Debian packages
Platform: Ubuntu 18.04 in an LXC container on NixOS
The text was updated successfully, but these errors were encountered:
This issue has been migrated from #5677.
Update: October 2021
This issue has been resolved for a homeserver's local users.
We still need to address leaking per-room nicknames and avatars for remote users. This is complicated as we do not have an easy, obvious way to retrieve or keep up-to-date the public profile metadata for remote users.
Description
The User Directory leaks display names and avatars for a user that are sent in only one room.
For example, by manually crafting a
m.room.member
state event – or recently using the/myroomnick
command in Riot/Web, even if the state event is sent in a private room.Steps to reproduce
@alice:example.org
, open a private chat (such as a direct chat with a close friend)/myroomnick Freddy
, which sends am.room.member
state event into only that room with a custom nickname.@bob:example.org
, open up the User Search@alice:example.org
will be listed with the name 'Freddy'Expected Behaviour
alice's original display name should be shown in the user search.
Implications
This has privacy implications – a nickname set in a private room with a close friend may be quite personal and perhaps embarrassing if seen by other users.
Version information
If not matrix.org:
not really relevant, I suspect:
The text was updated successfully, but these errors were encountered: