search

bigbluebutton / bigbluebutton

Complete open source web conferencing system.
https://bigbluebutton.org
GNU Lesser General Public License v3.0
8.48k stars 5.95k forks source link

[Privacy] Configurable avatar images allow tracking of users #13501

Open ichdasich opened 2 years ago

ichdasich commented 2 years ago

Describe the bug Joining with a set avatar revels the IP addresses of all other users in a conference.

To Reproduce Steps to reproduce the behavior:

  1. Set avatarURL to an URL you can view the access logs of
  2. Join a conference
  3. See the IPs of all users in that conference when you join in the access log

Expected behavior Upon join, BBB retrieves the image from the avatar URL, and re-hosts it.

Actual behavior Externally supplied content is directly handed to users, revealing their IP addresses.

BBB version: 2.3.15

Additional context I just rolled out 2.10.0.1, and first realized the tracking capabilities. I now ~rolled back to an earlier version of GL~implemented a workaround, as setting useDefaultAvatar=true/defaultAvatarURL in bbb-web.properties did not prevent avatars from being set (related bug?) This is a relatively serious issue for BBB instances run in jurisdictions where the GDPR applies. Greenlight is similarly affected, even though on a smaller scope (people clicking on a join URL, see https://github.com/bigbluebutton/greenlight/issues/2956).

ffdixon commented 2 years ago

I am the product manager of BigBlueButton. Thanks for reporting this.

We'll take a closer look at this right away and ensure you have the logic to disable avatar URLs. We'll deal with Greenlight allowing the user to specify an Avatar in bigbluebutton/greenlight#2956.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

antobinary commented 2 years ago

and ensure you have the logic to disable avatar URLs

From what I can see, in BBB we added virtualBackgroundsDisabled in 2.4 and then in 2.5+ we replaced it with disabledFeatures=virtualBackgrounds

prlanzarin commented 2 years ago

This is related to user avatar images, not virtual backgrounds.

ffdixon commented 2 years ago

Is this also related more to the front-end that is creating the API calls? The issue arose when GreenLight allowed users to enter arbitrary URLS for avatars, where it needs to let the user upload an avatar and give BigBlueButton it's own GreenLight-specific URL (not a user supplied URL).

In other words, I think this was more a GreenLight issue than a BigBlueButton issue. Just as you upload slides to the front end and it, in turn, passes it's own URL to BigBlueButton to load the slides, so should it be for the avatar.

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] commented 4 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.