Leak data by Intercept request

Bug and problem reporting on Cyclos 4 version

Moderators: rmvanarkel, hugo, alexandre

Post Reply
Posts: 70
Joined: Mon Aug 03, 2015 10:19 am

Leak data by Intercept request

Post by trustpay »

Hi Cyclos team,

I found a problem on Cyclos 4.12.1, please help me check this!
I can get all customers data: id, username ... with 3 steps

Step 1: Login https://wallet.vndc.io by user account
Step 2: Click menu User and Searching
Step 3: Intercept request

Many Thanks!


POST /web-rpc/userService HTTP/1.1
Host: wallet.vndc.io
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Session-Prefix: gMX8JYM8QJBVQWaL
Channel: main
Content-Type: application/json
Referer: https://wallet.vndc.io/
Content-Length: 492
Cookie: Session-Token=G6Cw9lePI4sZdjLx
Connection: close

{"operation":"search", "params":[{"class":"org.cyclos.model.users.users.UserQuery", "mapDirectory":false, "locateFirst":false, "includeGlobal":false, "orderBy":"RELEVANCE", "userStatus":["ACTIVE","BLOCKED"], "ignoreProfileFieldsInList":false, "onlyContacts":false, "excludeContacts":false, "includeGroup":false, "includeGroupSet":false, "includeMainBroker":false, "messagesEnabled":false, "productsIndividuallyAssigned":false, "currentPage":0, "pageSize":40, "addressResult":"NO_ADDRESSES"}]}
Posts: 207
Joined: Fri Feb 17, 2006 11:01 am

Re: Leak data by Intercept request

Post by luis »

There are 2 issues:

- You can see the id and display of other users because your user is allowed to do users search. You don't even need to intercept requests: just use the API (/api/users or via the legacy /web-rpc/users/search). You can set "Search users on groups" to "None" in the products, and users won't be able to search other users, including on autocompletes. The can still pay other users by using exact-match identification methods (as configured in the channel, could be login name, e-mail, account number, ...)

- Maybe you still want users to search other users, but don't see the login name (or whatever field) that is returned in the "shortDisplay" property. If this is the case, you can set on the user configuration another field on "Short display". We have 2 ways to show the user: a "normal" / "long" or a "short". An obvious usage for the short display is on SMS messages, where we have limited text. By default, the full display is the full name and the short display is the login name. In Cyclos 4.13 we will allow the short display to be empty (defaulting to truncated full display), but currently selecting a field is required. Bear in mind that both "Display" and "Short display" are stored statically, and returned to users regardless of permission to view specific fields (for example, the login name). This is a must for performance, or getting a list of x users / ads would require processing on runtime each permission over each field, per user. So, the quickest way to fix the issue is to set the short display as the full name. If someone inspects the search results, he'll see that the response has the full name twice, but at least no data that can't be seen is returned. Also, and very important, as these data are statically stored, just changing the field in the configuration won't change the existing users. After saving the configuration, run a new Bulk action of type reindex users. Select all groups / statuses and apply. In a few seconds / minutes, all the users will be updated.
Luis Fernando Planella Gonzalez
Cyclos development team
Post Reply