search

binwiederhier / ntfy

Send push notifications to your phone or desktop using PUT/POST
https://ntfy.sh
Apache License 2.0
18.49k stars 727 forks source link

Brute force Subscription Names #853

Closed vysecurity closed 1 year ago

vysecurity commented 1 year ago

If you host an externally accessible ntfy server. Couldn't someone brute force the subscription names to:

1) Read the subscription

2) SPAM your subscription

?

There doesn't appear to be any authentication by default. It's publicly accessible by default.

Why is it not "secure by default"?

Mr-KayJayDee commented 1 year ago

You can enable auth using nginx or any reverse proxy you are using ˆˆ

binwiederhier commented 1 year ago

If you host an externally accessible ntfy server. Couldn't someone brute force the subscription names

If you don't have ACLs set up, the topic name is your password, it says so everywhere. If you choose a easy-to-guess/dumb topic name, people will be able to guess it. If you choose a randomly generated topic name, the topic is as good as a good password.

As for brute forcing: it's not possible to brute force a ntfy server for very long, as you'll get quickly rate limited. For ntfy.sh, there's even a fail2ban in place which will ban your IP pretty quickly. Even without that, brute forcing a random 10 digit topic name would take years.

Why is it not "secure by default"?

  1. Sometimes, convenience is more important than security. Sometimes, it doesn't really matter all that much if people know "backup xyz is done".
  2. It is 100% secure by default if you choose a good topic. It just puts the responsibility on the user.
  3. ntfy is simple, simple, simple. Passwords, accounts and all that are the opposite of simple.