Exception contains sensitive Information: StoreID in URL

[petzsch]

Caused by this line: https://github.com/btcpayserver/btcpayserver-greenfield-php/blob/10df17744f4a4c6f79c94935f50e44d5dcdee4eb/src/Exception/RequestException.php#L13

When Bitcoin Core is still syncing and you create an Invoice, you might get this error Message if your Client Code prints the exception Message to the user. The problem with this: We are exposing the STORE-ID here:

Error: Error during POST to https://BTCPAY_BASE_URL/api/v1/stores/STORE-ID/invoices. Got response (400): {"code":"generic-error","message":"Warning: You have payment methods configured but none of them match any of the requested payment methods or the rate is not available. See logs below:\n12/05/2022 19:06:45:Info Creation of invoice starting\n12/05/2022 19:06:46:Info BTC_EUR: The rating rule is coingecko(BTC_EUR)\n12/05/2022 19:06:46:Info BTC_EUR: The evaluated rating rule is 16256.43\n12/05/2022 19:06:46:Info BTC (On-Chain): Payment method details creation took 13 milliseconds\n12/05/2022 19:06:46:Error BTC: Payment method unavailable (Full node not available)\n"}

With the Store-ID an attacker could querry the Rates endpoint which is public: https://BTCPAY_BASE_URL/api/rates?storeId=STORE-ID

Since Coingecko has a rate limit, this could be used to effectifly DOS your btcpayserver's abbility to crate invoices.

[Kukks]

Store Id is regarded as public info. It is trivially exposed on most btcpay user facing apps, including the checkout.

Our rates endpoint caches internally afair

On Mon, Dec 5, 2022, 8:19 PM Markus Petzsch @.***> wrote:

Caused by this line: https://github.com/btcpayserver/btcpayserver-greenfield-php/blob/10df17744f4a4c6f79c94935f50e44d5dcdee4eb/src/Exception/RequestException.php#L13

When Bitcoin Core is still syncing and you create an Invoice, you might get this error Message if your Client Code prints the exception Message to the user. The problem with this: We are exposing the STORE-ID here:

Error: Error during POST to https://BTCPAY_BASE_URL/api/v1/stores/STORE-ID/invoices. Got response (400): {"code":"generic-error","message":"Warning: You have payment methods configured but none of them match any of the requested payment methods or the rate is not available. See logs below:\n12/05/2022 19:06:45:Info Creation of invoice starting\n12/05/2022 19:06:46:Info BTC_EUR: The rating rule is coingecko(BTC_EUR)\n12/05/2022 19:06:46:Info BTC_EUR: The evaluated rating rule is 16256.43\n12/05/2022 19:06:46:Info BTC (On-Chain): Payment method details creation took 13 milliseconds\n12/05/2022 19:06:46:Error BTC: Payment method unavailable (Full node not available)\n"}

With the Store-ID an attacker could querry the Rates endpoint which is public: https://BTCPAY_BASE_URL/api/rates?storeId=STORE-ID

Since Coingecko has a rate limit, this could be used to effectifly DOS your btcpayserver's abbility to crate invoices.

— Reply to this email directly, view it on GitHub https://github.com/btcpayserver/btcpayserver-greenfield-php/issues/94, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAN357SHHB3D4JJFNKMIINDWLY55JANCNFSM6AAAAAASUULO2A . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[petzsch]

OK, sorry for screaming fire at this one. 🔥 Couldn't DOS my own rates endpoint with: for i in {1..500}; do curl "http://cryptonode.local/api/rates/?storeId=STORE-ID"; done;

so I guess it's safe to asume that it is cached. (rate limit by coingecko is somewhere at around 10-50 / minute. closing this one.