Zeptosec / Thermastore

Cloud storage. Can store large amount of large files. Relies on discord webhooks and supabase for storage.
https://thermastore.netlify.app
11 stars 4 forks source link

Webhook url security risk #22

Open pam-param-pam opened 1 month ago

pam-param-pam commented 1 month ago

Leaving a webhook URL in blank for everyone to see is a security risk. It would potentially allow everyone to see all files uploaded by it. https://discordapp.com/api/webhooks/1117930895102451764/l_mX88ApLhYBMkuu95IOuD4Xda3IzJvuAyuCHFRSdjIXHWzRED_4ZJ_u56Fr-ue4Pgf2 I've removed the webhook for you.

Zeptosec commented 1 month ago

There is a security risk, but as far as I know there currently is no API to get all the files uploaded by the webhook. Without knowing the message id that was sent using the webhook they can't delete it. So the only damage they can do is what you did now - removing webhooks and causing errors when try to use a deleted hook.

In reality you should use your own and shouldn't share them. These hooks that I provided they are in a server with no users. They are there for random users to test out the service. The only damage the attacker can do is to delete the hook, but if they know the hook and the attachment id then they can delete the file. But that should not happen if you're using your own hook and keeping it a secret.