User Data Disclosure via API Call

[archang3l-media]

Description:

After getting an auth token via:

curl -d "username=myusername&password=mypassword"
https://rocketchatserver/api/v1/login

any authenticated user can crawl all information about any other user, including the highlighted
keywords, last active time and notification settings with

curl -H "X-Auth-Token: $insert_auth_token_here$"
-H "X-User-Id: $insert_user_id_here$"
https://rocketchatserver/api/v1/users.list

This allows for massive scraping of user data, even if limited to 1 dataset per API call.

Server Setup Information:

• Version of Rocket.Chat Server: 0.63.1
• Operating System: centos 7
• Deployment Method(snap/docker/tar/etc): tar
• Number of Running Instances: 5
• DB Replicaset Oplog: enabled
• Node Version: 8.9.4
• mongoDB Version: 3.4.14

Steps to Reproduce:

1. curl -d "username=myusername&password=mypassword"
   https://open.rocket.chat/api/v1/login
2. curl -H "X-Auth-Token: $insert_auth_token_here$"
   -H "X-User-Id: $insert_user_id_here$"
   https://open.rocket.chat/api/v1/users.list

Expected behavior:

Get the basic user information, for instance name and maybe email address

Actual behavior:

You get user types, roles, notification settings
(all data is from my Rocket.Chat account)
{
„_id": "XXXXXXXXX",
„username“: "*XXXXXX",
"type": "user",
"status": "offline",
"active": true,
„name": "XXXXXXXX",
"ldap": true,
"utcOffset": 2,
"language": "en",
"settings": {
"preferences": {
"newRoomNotification": "door",
"newMessageNotification": "chime",
"emailNotificationMode": "disabled",
"mergeChannels": false,
"roomsListExhibitionMode": "category",
"notificationsSoundVolume": 100,
"desktopNotifications": "all",
"mobileNotifications": "mentions",
"idleTimeLimit": 1800,
"enableAutoAway": false,
"highlights": [
"essen, kuchen, torte"
],
"desktopNotificationDuration": 0,
"viewMode": 0,
"hideUsernames": false,
"hideRoles": false,
"hideAvatars": false,
"hideFlexTab": false,
"sendOnEnter": "normal",
"roomCounterSidebar": false,
"sidebarViewMode": "condensed",
"sidebarShowUnread": true,
"useEmojis": true,
"convertAsciiEmoji": true,
"saveMobileBandwidth": false,
"collapseMediaByDefault": false,
"muteFocusedConversations": true,
"autoImageLoad": true,
"unreadAlert": true,
"language": "en"
},
"profile": {}
},
"statusLivechat": "not-available",
"operator": true
},

Relevant logs:

//No relevant logs, since this is a general API Problem

[graywolf336]

Pull request #10411 addresses this. In your opinion, should this warrant a security release for 63?

[TwizzyDizzy]

Well... there are the highlight-words of a person right there. In this case it's "essen, kuchen, torte" (which is german and translates to "food, cake, pie") ... but it might just as well be something more private. This is clearly a grave thing to be openly available as it might reveal deeply personal things. So the (my) answer is: yes, by all means.

Additionaly the fields status and active allow behaviour (e.g. sleep cycle) tracking, unreadAlert allows to check whether you acted upon a notification, autoImageLoad allows me to check whether I could attack you via a maliciously crafted image via PM...

Cheers
Thomas

[graywolf336]

Thanks @TwizzyDizzy. I am of that opinion myself, so I just wanted to be sure that it wasn't just a me thing.

[TwizzyDizzy]

Hey @graywolf336

Just for transparency reasons: I can't seem to find a mention of this in any release notes yet #10411 seems to have been merged. Is this intended?

Cheers
Thomas

[graywolf336]

@TwizzyDizzy quite honestly, I forgot about this issue when doing both of the previous releases. 🙈 so, it's not in any of the v63 releases.

@RocketChat/core thoughts on this?

[sampaiodiego]

we should have included this in some of the hotfixes.. but a release candidate will be cut out today with this included, should it be enough?

[TwizzyDizzy]

Since release of the next version is basically just around the corner, I think we should just move this to the 0.64.0 milestone. Just my two cents, though...

Cheers
Thomas