spd
November 14, 2021, 1:19am
1
There is a serious security issue in mobile app of rocketchat and it seams that rocketchat team doesn’t care very much. There is no progress on fixing this issue since July.
The description of the issue is here
opened 04:12PM - 23 Jun 21 UTC
closed 04:14PM - 23 Jun 21 UTC
<!--
Please see our guide for opening issues: https://rocket.chat/docs/contr… ibuting/reporting-issues
If you have questions or are looking for help/support please see: https://rocket.chat/docs/getting-support
If you are experiencing a bug please search our issues to be sure it is not already present: https://github.com/RocketChat/Rocket.Chat.ReactNative/issues
-->
### Description:
On iOS RocketChat app users can acquire full url link to uploaded file in channel.
This url contains userid and access token.
user can send this link to someone else which will revel his userid and access token
Access token as I understood do not have expiration time
So by sending such url user in fact 1) will send permanent link to the file
and 2) the ability to get access to rocketchat server impersonating that user.
3) potentially have access to any file on RocketChat server
### Environment Information:
- Rocket.Chat Server Version: 3.15.0
- Rocket.Chat App Version: 4.17.0.24389
- Device Name: iPhone 8
- OS Version: 14.6
### Steps to reproduce:
1. Click on file in the channel conversation
2. File will be open
3. Click the Share button at the bottom (one with up arrow) and select Copy
4. Paste somewhere and you have full url to the file with user id and token
### Expected behavior:
users should not be ably to have access to links containing non expiring access tokens
It's either should be temporary access token to required file only
or at least send it in POST request so user won't have access to it.
### Actual behavior:
User can have access to urls like this:
https://<rocketchat_address>/file-upload/<file_id>/<actual_filename>?rc_uid=<user_id>&rc_token=<access_token>
The same thing also possible for Android mobile app with slightly different manipulations
### Additional context:
By having userid and token it is possible to get access to any file on the RocketChat server.
Access to the files is not checked against who can access it.
If you have fileid (with is always 17 symbols long containing A-Z,a-z,0-9) you can open any file with any userid/token combination.
I've verified such scenario:
user1 sends file to user2 in direct message
user3 (not in that direct message conversation) using his userid and access token able to have access to that file if he knows fileid
by accessing url like this
https://<rocketchat_address>/file-upload/<file_id>/?rc_uid=<user_id>&rc_token=<access_token>
RocketChat:develop
← RocketChat:fix.account-takeover-ios
opened 08:44PM - 14 Jun 21 UTC
## Proposed changes
Open unsupported files inside an authenticated WebView an… d don't pass the id and token as query params.
## Issue(s)
User token in query param to access authenticated files
## How to test or reproduce
1.add image in group with ios apps
2.other group member open uploaded image in browser
3.when open image in browser token added on it
## Screenshots
<table>
<thead>
<tr>
<th>Before</th>
<th>After</th>
</thead>
</tr>
<tbody>
<tr>
<td>
<img src="https://user-images.githubusercontent.com/47038980/121956746-de376600-cd37-11eb-90ff-5daa5ea00d8d.png" height="450" />
<img src="https://user-images.githubusercontent.com/47038980/121956754-e1325680-cd37-11eb-95ad-9c6e8374657b.png" height="450" />
</td>
<td>
<img src="https://user-images.githubusercontent.com/47038980/121956896-07f08d00-cd38-11eb-807c-5eea53919d19.png" height="450"/>
</td>
</tr>
</tbody>
</table>
## Types of changes
- [x] Bugfix (non-breaking change which fixes an issue)
- [ ] Improvement (non-breaking change which improves a current function)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Documentation update (if none of the other choices apply)
## Checklist
- [x] I have read the [CONTRIBUTING](https://github.com/RocketChat/Rocket.Chat/blob/develop/.github/CONTRIBUTING.md#contributing-to-rocketchat) doc
- [x] I have signed the [CLA](https://cla-assistant.io/RocketChat/Rocket.Chat.ReactNative)
- [x] Lint and unit tests pass locally with my changes
- [ ] I have added tests that prove my fix is effective or that my feature works (if applicable)
- [ ] I have added necessary documentation (if applicable)
- [ ] Any dependent changes have been merged and published in downstream modules
## Further comments
So it is not secure to use rockectchat unless this issue is fixed
I suppose that here on forums mostly administrators of own rocketchat servers.
How are you using rocketchat with such issue. Aren’t you afraid that your users will unintentional leak their userid and authentication token?
Hi! Thanks for your input on this.
As you can see this fix is already in progress.
This forum is for support only. Please, feel free to comment on that issue.
Thanks!
spd
November 20, 2021, 10:15pm
3
“In progress” ?? no activity for 4 months that is called in progress?
actually that is exactly what I do not understand. why security issue is not in progress.
I did make a comment on that issue without answer. so what the point to comment there.
And here I’ve posted so that others would be aware of this issue and don’t think that rocketchat is a secure messenger. it’s just a free messenger and it seams that is all everyone care about here. No one cares about security.
And this opens another issue. If in the future security issue would be discovered it will not be fixed quickly. And this is even more disturbing than the security issue itself.