Email exposure of users to an authorized user in usememos/memos

Valid

Reported on

Dec 22nd 2022

Description

Hello, this is an endpoint that leaks all the information of the users like names, email, role, and OpenID to an authenticated user

Steps to reproduce

1) build the web app
2) either you host it locally or on a server
3) try to add users with their data
4) visite http://localhost:5230/api/status 
5) you can see all the users and their data

Attack scenario

anyone can build this web app on a server (i.e http://example.com) an authenticator user can visit http://example.com/api/status and fetch all the data of the users

Impact

Information disclosure of all the users

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
STEVEN
a year ago

Maintainer

There is only host user without private data leaking.

{"data":{"host":{"id":101,"rowStatus":"NORMAL","createdTs":1671788452,"updatedTs":1671791679,"username":"demohero","role":"HOST","email":"demo@usememos.com","nickname":"Demo Hero","openId":"","userSettingList":null},"profile":{"mode":"dev","port":8080,"data":"/Users/steven/Projects/minecraft/memos/.air","dsn":"/Users/steven/Projects/minecraft/memos/.air/memos_dev.db","version":"0.8.3"},"dbSize":4096,"allowSignUp":true,"additionalStyle":"","additionalScript":"","customizedProfile":{"name":"memos","logoUrl":"","description":"","locale":"en","appearance":"system","externalUrl":""}}}
Ayoub
a year ago

Researcher

you didn't get the point, you can add more users to the application with all their data, and visit the vulnerable link without an authorization, for example you can build it locally and add users, then open the vulnerable link from private browser window, and you will see all their data

Ayoub
a year ago

Researcher

here is an attack scenario to you can clearly understand it,

  1. Lets build this web app on a server and link it to a domain name https://example.com
  2. you will create for all your server users an account in the web application
  3. the users will start put their names, nicknames, emails ...
  4. anyone from outside the server can access to https://example.com/api/status and see all the data of the users and this is a vulnerability since the data of the web app users should be unauthorized
STEVEN
a year ago

Maintainer

all the data of the users

I don't know what is the data of users. The API only return the host user. And here is a demo site, please take a try: https://demo.usememos.com/api/status

STEVEN
a year ago

Maintainer

And the data of host user has been desensitized. e.g. openId will always be an empty string.

Ayoub
a year ago

Researcher

Let's say that the API returns only the host user, do you think that its normal to display the email of the host? And leak it to an unauthorized user? It's just better to fix this bug before it cause some other leakage in the future, and finally the decision is yours if you wanna make the web application more secured, Kind regards

We have contacted a member of the usememos/memos team and are waiting to hear back a year ago
STEVEN
a year ago

Maintainer

Got you, we will hide the email field later.

STEVEN
a year ago

Maintainer

Could you change a title for this?

Ayoub modified the report
a year ago
Ayoub
a year ago

Researcher

Done

STEVEN validated this vulnerability a year ago
Ayoub has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit 05b418 a year ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability a year ago
to join this conversation