search

okfde / froide

Freedom Of Information Portal
MIT License
357 stars 86 forks source link

Information leak when calling the ombudsperson #300

Closed intrigus closed 5 years ago

intrigus commented 5 years ago

Edit: This has been based on my wrong testing, there is no problem...

Suppose this scenario:

  1. You have a non published request.

Now you call the ombudsperson ("Vermittlung"). This will generate an email that is like this

Die bisherige Korrespondenz finden Sie hier:

https://fragdenstaat.de/a/123456/auth/[some hash]/

The link in the email is a passwordless login link for my account.

This poses two threats:

  1. The ombudsperson now has full access to my account.
  2. When I publish the request everybody can access my account

Proposed fix:

Create a special share link which allows to view the non published request. But don't use the passwordless link of the user.

stefanw commented 5 years ago

Thanks for your concern. However, I would appreciate some more diligence.

  1. The ombudsperson now has full access to my account.

Wrong: the link does not grant a login. It gives read-only access to this one request. It allows seeing redacted parts and allows downloading the request as PDF or ZIP with all attachments. A special message is shown to warn the user of the link to share the link responsibly.

  1. When I publish the request everybody can access my account

Wrong: the link is always redacted in the message and not visible to the public.

If you have indications that any of the above is not correct, please let me know. Also please report potentially security-related concerns like this privately via email to the site owners.

intrigus commented 5 years ago

Sorry for wasting your time, I guess I made a mistake when testing it :( I thought I had opened the link in an incognito tab but instead opened it in my non-incognito (already authenticated) tab.

In the future I will report by mail and double check my report...

stefanw commented 5 years ago

Don't worry about it. Feel free to poke around in case there are edge cases we missed.

rugk commented 5 years ago

A special message is shown to warn the user of the link to share the link responsibly.

Maybe it's also a good idea to directly mention that in the automatic mail (text/body?), because:

  1. then the ombudsperson knows the link is confidential without clicking it (could be, e.g., they want to copy and paste/share it with someone else without looking it it, first)
  2. it may prevents the ones, who create a request, (such as OP here) to misinterpret what this link allows/does.