Email exposure of users to an authorized user in usememos/memos

Valid

Reported on

Dec 22nd 2022


Description

Hello, this is an endpoint that leaks all the information of the users like names, email, role, and OpenID to an authenticated user

Steps to reproduce

1) build the web app
2) either you host it locally or on a server
3) try to add users with their data
4) visite http://localhost:5230/api/status 
5) you can see all the users and their data 

Attack scenario

anyone can build this web app on a server (i.e http://example.com) an authenticator user can visit http://example.com/api/status and fetch all the data of the users

Impact

Information disclosure of all the users

We are processing your report and will contact the usememos/memos team within 24 hours. 18 days ago
STEVEN
17 days ago

Maintainer


There is only host user without private data leaking.

{"data":{"host":{"id":101,"rowStatus":"NORMAL","createdTs":1671788452,"updatedTs":1671791679,"username":"demohero","role":"HOST","email":"demo@usememos.com","nickname":"Demo Hero","openId":"","userSettingList":null},"profile":{"mode":"dev","port":8080,"data":"/Users/steven/Projects/minecraft/memos/.air","dsn":"/Users/steven/Projects/minecraft/memos/.air/memos_dev.db","version":"0.8.3"},"dbSize":4096,"allowSignUp":true,"additionalStyle":"","additionalScript":"","customizedProfile":{"name":"memos","logoUrl":"","description":"","locale":"en","appearance":"system","externalUrl":""}}}
Ayoub
17 days ago

Researcher


you didn't get the point, you can add more users to the application with all their data, and visit the vulnerable link without an authorization, for example you can build it locally and add users, then open the vulnerable link from private browser window, and you will see all their data

Ayoub
17 days ago

Researcher


here is an attack scenario to you can clearly understand it,

  1. Lets build this web app on a server and link it to a domain name https://example.com
  2. you will create for all your server users an account in the web application
  3. the users will start put their names, nicknames, emails ...
  4. anyone from outside the server can access to https://example.com/api/status and see all the data of the users and this is a vulnerability since the data of the web app users should be unauthorized
STEVEN
17 days ago

Maintainer


all the data of the users

I don't know what is the data of users. The API only return the host user. And here is a demo site, please take a try: https://demo.usememos.com/api/status

STEVEN
17 days ago

Maintainer


And the data of host user has been desensitized. e.g. openId will always be an empty string.

Ayoub
17 days ago

Researcher


Let's say that the API returns only the host user, do you think that its normal to display the email of the host? And leak it to an unauthorized user? It's just better to fix this bug before it cause some other leakage in the future, and finally the decision is yours if you wanna make the web application more secured, Kind regards

We have contacted a member of the usememos/memos team and are waiting to hear back 17 days ago
STEVEN
17 days ago

Maintainer


Got you, we will hide the email field later.

STEVEN
17 days ago

Maintainer


Could you change a title for this?

Ayoub modified the report
16 days ago
Ayoub
16 days ago

Researcher


Done

STEVEN validated this vulnerability 16 days ago
Ayoub has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.9.1 with commit 05b418 16 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 16 days ago
to join this conversation