user can get document content even after removed in outline/outline

Valid

Reported on

Jul 1st 2022


Description

Admin can add a member to his personal collection .But if admin removed that user from this collection then that user still can see realtime document update content.

Proof of Concept

1. From admin account invite user-B as member role .

2. From admin account create a private collection called collect-1.
3. From admin account change above collection permission like bellow

Default Access --> No access
Additional access  --> add user-B here  with "view and edit" permission 

so, user-B is member of this collection and can see document of this collection.
4. From admin account add a document doc-1 to this newly created collection collect-1 .
5. Now user-B can edit this document because he is member of this collection.
So , user-B open this document url https://myacc.getoutline.com/doc/dco2-LphFaOA1Ls in his browser window and can edit .
All the realtime collaboration data for this document will be available via websocket connection https://collaboration.getoutline.com/collaboration/document.1ad60950-9e50-4316-8cd9-6f4ff49d7f31 And thats why Keep this browser window open .

6. Now goto admin account and remove user-B from this collection . So, now user-B should not access any document of this collection because user-B is not a member of this collection anymore and default access is "No access".

7. Now admin edit the content of above document doc-1 .
Now this realtime updated content will be visible to user-B .
Remember user-B already keep opened his document url window in step-5 .
Now if admin made any changes to this document content, will be visible to user-B's window in step-5 .\

As user-B keep opened his browser window so realtime collaboration websocket connection will be still available .
Any changes made by admin to the document will be available to user-B via https://collaboration.getoutline.com/collaboration/document.1ad60950-9e50-4316-8cd9-6f4ff49d7f31 websocket connection .

So, user-B removed from this collection but user-B keep that browser window opened and thats why collaboration websocket connection still alive and user-B get realtime updated data .
I have checked after 30 minutes of removing user-B from collection and user-B still receiving data via this websocket .
So, user-B can get realtime collaboration data for long time after removed if he can makes the above websocket connection alive for long time .

Impact

unprivileged user can get realtime collaboration data even after removed from collection

We are processing your report and will contact the outline team within 24 hours. a month ago
We have contacted a member of the outline team and are waiting to hear back a month ago
Tom Moor modified the Severity from High to Low a month ago
Tom Moor modified the Severity from Low to Medium (5.4) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Tom Moor validated this vulnerability a month ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tom Moor
a month ago

Fix in progress here: https://github.com/outline/outline/pull/3729

Tom Moor confirmed that a fix has been merged on 5d4986 a month ago
The fix bounty has been dropped
Tom Moor
a month ago

We have fixed this on the frontend only for now, if your access is removed then the frontend will correctly remove all data locally and kick you out of the document.

The collaboration server is unaware of this change so if a websocket is manually formed with all the correct authorization and document details it is possible to receive binary packages of changes that happen in the document after access is removed. This is considered an acceptable risk to the project.

to join this conversation