Closed liamcain closed 8 months ago
Hi, @Alt-er, the Obsidian team received a report that some users might accidentally be using the default server configuration
to sync real, private notes. The server does not seem to require any authentication, and users are pressing sync in their private vaults and receiving files from other users using the same default configuration. As a precaution, we ask that you remove the default configuration from the plugin and add a warning that this server is not to be used with any private data. We can add the plugin back to the plugin list once this issue is resolved. Thanks!
I don't understand why users can get files uploaded by other users. Although the default value for the service address is
I am using this default service
Reasons for setting default service configuration:
As for what you said about ‘The server does not seem to require any authentication,’, I don’t know where to start because I have a complete account and password verification function.
If you feel that the plugin should not provide this default service, please let me know and I will remove the default service configuration immediately.
@liamcain
@liamcain
Hi @Alt-er, sorry for not responding last week. I appreciate your patience.
After further investigation of the security report, and additional testing of the plugin, I was not able to reproduce the reported issue. I did uncover 2 things that I think are worth fixing though:
I am going to add the plugin back to the plugin directory now, but I advice you to make those fixes to avoid other similar issues from happening in the future.
Thank you very much, I will fix the above problem in a later version
Hi, @Alt-er, the Obsidian team received a report that some users might accidentally be using the default server configuration to sync real, private notes. The server does not seem to require any authentication, and users are pressing sync in their private vaults and receiving files from other users using the same default configuration.
As a precaution, we ask that you remove the default configuration from the plugin and add a warning that this server is not to be used with any private data. We can add the plugin back to the plugin list once this issue is resolved. Thanks!