New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSC4095: Bundled URL previews #4095
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Tulir Asokan <tulir@maunium.net>
Signed-off-by: Tulir Asokan <tulir@maunium.net>
Signed-off-by: Tulir Asokan <tulir@maunium.net>
Signed-off-by: Tulir Asokan <tulir@maunium.net>
Signed-off-by: Tulir Asokan <tulir@maunium.net>
Signed-off-by: Tulir Asokan <tulir@maunium.net>
Signed-off-by: Tulir Asokan <tulir@maunium.net>
Signed-off-by: Tulir Asokan <tulir@maunium.net>
Signed-off-by: Tulir Asokan <tulir@maunium.net>
Signed-off-by: Tulir Asokan <tulir@maunium.net>
encrypted rooms unless the receiver opts in). | ||
|
||
## Security considerations | ||
Fake preview data as covered in potential issues. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's worth calling out some more explicit security concerns here:
If the sender doen't use its server's /preview_url endpoint as a helper:
- This will leak the sending client's IP to the URL they are previewing.
- The client will need to be careful not to let itself get pwned by malicious content at that URL (e.g. XML parsing exploits in the HTTP library; billion lol attacks...)
- The client should be very careful not to preview URLs provided by other users - e.g. when replying to a message or quoting it, to stop an attacker sending a malicious URL to a user in order to discover their IP or otherwise pwn them.
- Concretely, we don't want a world where you receive spam saying "Click reply to this message to win $20M!!! https://evil.com", where the act of replying generates a preview to https://evil.com which then harvests your IP and serves you a malformed image in its URL preview thumbnail which then pwns your app
- Another concrete attack could be sending a user a malicious URL (hidden in a hyperlink, perhaps? or hidden by mangled UTF sequences) which hits an RFC1918 address on their network to attack them - https://192.168.0.1/ or whatever, and encouraging the user to reply to or quote the msg
One might also want to require an allowlist of IPs the sender's spider is allowed to hit anyway, to try to avoid disasters where users are social-engineered into sending malicious URLs in general, which they never click on, but still get 'clicked on' by the URL previewer, causing chaos.
I'm sure there are a bunch more attack vectors here too...
Rendered
Implementations:
/preview_url
endpoint.Signed-off-by: Tulir Asokan tulir@maunium.net