[SECURITY] invoice details visible for everyone, you don't need to logged on.

[gery6]

Hello,

we just test this nice project, if you're logged and a store owner, you will see all invoices by clicking on "invoices". When you click on details you get an URL like ../invoices/$ID.

Copy that URL and log off from the website, you will see all invoice details. I guess this data may not visible for every one.

In our case, the email-adress could be read out.

Secure problem or wished feature?

[ndeet]

I also brought this up some time ago:

ndeet [vor 2 Monaten] @nicolasdorier sure Bitpay made bad decisions but with BTCPay we can make it better?

It's not about what the consumer sees but what anoymous data scraping bots could potentially see if they brute force invoice ids and reveal private addresses of customers.

The notification URL is the last thing I worry about. It is more about email addresses and physical addresses. Would it hurt if we mask (e.g. *****) the emails + physical addresses from that /invoices/{invoice-id} after say 1 month or so for anonymous users (talking about this page: https://btcpay.cryptosellcalc.com/invoices/65zudgd8Pr9chR33cgkYsL)? API: Because of keys + pairing I assume the API already restricts the endopoint to only allow authenticated users to fetch data? When I try to do above URL with a GET request (application/json) I get back masked data without emails or user addresses (which are visible on the browser accessible page): https://pastebin.com/7UFbH70x

The reasoning is that also BitPay does it this way.

The conclusion of discussion with @NicolasDorier and @Kukks was that:

• invoice id has 21 chars, random, which is very difficult to guess (I started to write a scrape script but gave up as the number is really huge, and even if you have random success you can't scrape really a lot of data)
• this is "hardened" by the fact that BTCPay merchant each runs their own server
• you can detect with other tools if somebody is trying to guess invoice ids (bruteforce requests to your server)

But yes, in general I'm still in favor of making the invoice unavailable after a configurable period of time and do better than BitPay in that regard. What I did for the Drupal Commerce BTCPay module is that I made it optional to pass the user data + email to BTCPay.

[pavlenex]

I'm not sure about masking after x days, but displaying this only for logged in admin/store owner is something I suggested a while ago.

Is there a technical reason why this sort of info has to be public, even when hashed?

[NicolasDorier]

It was actually hidden before.

I exposed it after somebody asked me why some code from bitpay was not working without auth. The rational is: If it is possible to access the invoice via API without auth, why not the html page as well?

That said, I am a bit uncomfortable as well about it. What about closing access by default, and only make it public if the merchant decide to do so in the store setting?

[pavlenex]

What about closing access by default, and only make it public if the merchant decide to do so in the store setting?

That sounds pretty reasonable. I think that would be the best.

[ndeet]

I have no idea why BitPay allows fetching invoice data via API or HTML without auth tbh. Ok, maybe customer wants to check it sometime later and guessing the 21 char invoice id is difficult. But why risk data leakage, security by obscurity I guess.

Agree, as a first step possibility to disable public access would be great.

On a second step (with new API some time in the future :)) would be great to be able to set it additionally on invoice level. This way you give the merchant/dev the possibility to show the invoice for e.g a few days/weeks public and you can hide it afterwards through an api call.

[pavlenex]

I don't see how this is useful for the customer tbh. They can preview their invoice from the e-commerce software already. I can see it may have some use-case for POS app and donations - maybe. I'd disable it and leave it optional as suggested.

[Eskyee]

Any Updates on this [SECURITY] ... I'm still being able to see ../invoices/$ID. without being logged in.. ??? this is a bug we need to remove ASAP. disable the public access would be great. i dont think it good for our users privacy. Nicolas

[pavlenex]

@Eskyee It's not as easy as you think. Invoices are hashed. But It would be good if we can disable it. I believe that the title of the issue is a bit over-hyped. Nevertheless, it's something we should address.

[Eskyee]

Yes I understand!! Maybe in the future updates..

But I like the Suggestion by Nicolas “That said, I am a bit uncomfortable as well about it. What about closing access by default, and only make it public if the merchant decide to do so in the store setting?”

Would this affect the POS app or the users from using BTCPAY as normal ??

Because if not !! I like the Suggestion made..

[NicolasDorier]

Fixed in 1.0.3.25 I tried to keep backward compatibility, but it turns out to be harder than expected.

I decided to just not allow access without proper authentication.