Rocket.chat: Avatar endpoint accessible without authentication

Created on 7 Jun 2016  路  16Comments  路  Source: RocketChat/Rocket.Chat

Your Rocket.Chat version: 0.33.0

The /avatar endpoint is accessible without being authentication.

This creates two security related issues:

  1. As user avatars are stored by using the username as the file name, this provides an attacker with an easily exploitable method of getting valid user names.
  2. Private information (the avatar photos) is accessible to unauthenticated parties.

Two proposed mitigations:

  1. Store user avatars using a hash of the username as the filename.
  2. Require an authenticated user before allowing access to the /avatars endpoint or return an HTTP 401
waiting PR merge security bug
Source
picture chaosaffe
👍6

Most helpful comment

Can we increase the priority on this issue? It can be a pretty abusable security issue.

picture Lemmmy on 8 Aug 2017
👍4

All 16 comments

This issue was not fixed on #6788 and was closed by mistake

MartinSchoeler picture MartinSchoeler on 2 Jun 2017

Can we increase the priority on this issue? It can be a pretty abusable security issue.

Lemmmy picture Lemmmy on 8 Aug 2017
👍4

@Lemmmy not sure about that, but you can always put a bounty on it.
https://www.bountysource.com/issues/34942815-avatar-endpoint-accessible-without-authentication

jgtoriginal picture jgtoriginal on 8 Aug 2017

Good call, thank you.

Lemmmy picture Lemmmy on 8 Aug 2017

Anything new on this?

localguru picture localguru on 19 Aug 2017

+1 !

amaranto picture amaranto on 6 Sep 2017

+1 !

cjpabloL picture cjpabloL on 7 Sep 2017

privacy nightmare...

bbrauns picture bbrauns on 19 Oct 2017
👍1

Still in 0.58.4 and 0.59.0

localguru picture localguru on 19 Oct 2017

+1!

jthomae1 picture jthomae1 on 19 Oct 2017

+1!

javiergoni picture javiergoni on 17 Jul 2018

Just wanted to note that we dropped Rocket Chat about a month after I posted this due to all the security issues. We even posted a patch for this issue which wasn't accepted as it might break integrations. Two years later, this still is an issue... Rocket Chat showed a lot of promise, but being insecure by default and refusing to correct the errors means that Rocket Chat isn't a real option, especially not for any European entity since GDPR has come in to effect.

chaosaffe picture chaosaffe on 18 Jul 2018

Just wanted to note that we dropped Rocket Chat about a month after I posted this...

what are you using instead?

ashishbhate picture ashishbhate on 18 Jul 2018
👍1

@chaosaffe we're sorry to hear that you dropped Rocket.Chat. I don't see how this affects GDPR, can you please explain? We've done other important improvements to be GDPR compliant (which you can see here https://github.com/RocketChat/Rocket.Chat/issues/9769), but we might have missed this one.

Also as you may noticed there is a opened PR https://github.com/RocketChat/Rocket.Chat/pull/9749 waiting for changes to be able to be merged. It's now prioritized to be merged next month, so I'll make sure the changes are made until there.

sampaiodiego picture sampaiodiego on 18 Jul 2018

@sampaiodiego please reopen as this is still an issue in 0.69.2 and we don't want to forget it ;)

localguru picture localguru on 24 Sep 2018
👍1

@localguru there is now an option under Accounts > Avatar that you can block unauthenticated access to avatars:

image

sampaiodiego picture sampaiodiego on 24 Sep 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

marceloschmidt picture marceloschmidt  路  3Comments
ghost picture ghost  路  3Comments
engelgabriel picture engelgabriel  路  3Comments
royalaid picture royalaid  路  3Comments
mattlin picture mattlin  路  3Comments