search

jurteam / platform

Jur Beta Platform
https://beta.jur.io
0 stars 0 forks source link

FIX User private info exposed #303

Open tyagishuchi1 opened 4 years ago

tyagishuchi1 commented 4 years ago
  1. Any user's private profile info can be accessed publicly via anybody as long as the wallet address is known. And since the Smart contract's addresses are public and the Oath Keeper/Advocate openly mentions the list of wallets, addresses can be very easily accessed. Although all APIs expose data publicly, but with this API a wallet address can be attached to a user's real world identity.
  2. It also exposes the id related to the user which makes the JBP DB too predictable for resource harvesting. image

Expected Behavior

The API should only return the info if the user is authorized

Possible Solution

Steps to Reproduce

Environment: Beta/Test/Temp

  1. Send a GET request to https://beta.jur.io/api/v1/user providing wallet as a header
mtmsuhail commented 4 years ago

@tyagishuchi1 This issue reported earlier, this also an issue with many other end-points

Ex:-

  1. Send a DELETE request to https://beta.jur.io/api/v1/user providing wallet as a header
  2. Send a PUT request to https://beta.jur.io/api/v1/user providing wallet as a header with body content

Solution: We should authenticate the wallet using some methods like this