Impact
In some cases, an authorized Zulip user in your organization who previously had permission to see a given message may have continued to have access to the message even after it was moved to a stream the user lacked permission to read. For users who are not guests, that means a private stream that they are not subscribed to. Users would be able to access the message in their search results, including potentially seeing the name of a private stream where the message had been moved to.
The impact of this bug on your organization is thus limited to the risk that one of the affected messages was improperly read after being moved. Any user who could access a message as a result of this bug had previously had access to that message, and thus could have retained access to the message’s content in some other way (e.g., by taking a screenshot earlier, or saving an email notification containing the message).
There were two different cases which triggered this bug:
- Moving a single message between streams. This bug was triggered only when a user moved a single message from a public stream to a private stream, not an entire topic or multiple messages at once. While the move succeeded, Zulip did not remove permission to view the message from many users who had permission to view messages in the source stream, but not the destination stream. Additionally, active users might continue to see the message in the source stream until the server was updated or they reloaded their Zulip window.
- Moving any number of messages after a user was unsubscribed from the source stream. If a message received by a user was moved to another stream after that user was unsubscribed from the source stream, Zulip did not remove that user’s permission to view the message, even when they did not have permission to view messages in the destination stream.
The bug was present since 2021, when the feature that allows moving messages into private streams was introduced. However, the buggy option to move a single message was rarely used before December 2023, when it became the default option for moving the last message in a topic. The Zulip development team discovered the bug while investigating an anomaly in the Zulip development community.
Patches
Fixed in Zulip Server 8.3.
Workarounds
None.
Impact
In some cases, an authorized Zulip user in your organization who previously had permission to see a given message may have continued to have access to the message even after it was moved to a stream the user lacked permission to read. For users who are not guests, that means a private stream that they are not subscribed to. Users would be able to access the message in their search results, including potentially seeing the name of a private stream where the message had been moved to.
The impact of this bug on your organization is thus limited to the risk that one of the affected messages was improperly read after being moved. Any user who could access a message as a result of this bug had previously had access to that message, and thus could have retained access to the message’s content in some other way (e.g., by taking a screenshot earlier, or saving an email notification containing the message).
There were two different cases which triggered this bug:
The bug was present since 2021, when the feature that allows moving messages into private streams was introduced. However, the buggy option to move a single message was rarely used before December 2023, when it became the default option for moving the last message in a topic. The Zulip development team discovered the bug while investigating an anomaly in the Zulip development community.
Patches
Fixed in Zulip Server 8.3.
Workarounds
None.