revoltchat / revite

Revolt client built with Preact.
https://app.revolt.chat
GNU Affero General Public License v3.0
878 stars 210 forks source link

[Bug] Global Link Discovery & Persistent Server-Side Content #236

Closed ghost closed 2 years ago

ghost commented 3 years ago

I got global link discovery and persistent content on revolt servers. Where people can copy the url for the sent message contents like photos and documents which generates a link like [https://autumn.revolt.chat/....../......]() and these links can be accessed via anyone outside revolt just by copy-pasting the link even if he/she has no account on revolt. It can help attackers to bruteforce the paths for discovering shared content against any random users. And the problem is the sent contents persists even if they have been deleted from both sides (such as DM) which means the server stores the data permanently which is very bad. I think most of the users won't like this feature like discord does. I am still able to access those contents for both users even after they have successfully deleted their all messages (from both sides) and their accounts which is done by ticket triggered via support mail.

Greetings, BL4CKH47H4CK3R!

insertish commented 3 years ago

It would be incredibly hard to brute force other links since the ID is too long. And it's persistent because of Cloudflare cache, I don't know if there's away I could just invalidate it.

ghost commented 3 years ago

It would be incredibly hard to brute force other links since the ID is too long. And it's persistent because of Cloudflare cache, I don't know if there's away I could just invalidate it.

Powerful attacker never comes with a shitty configurations. Besides, random 40 character string is not that hard to bruteforce. The more user will register the more it will be easier for an attacker to gain random user data !

insertish commented 3 years ago

Not hard to brute force? There are 21^40 possible combinations.

To put that into perspective, that's 77,405,494,483,928,356,601,681,434,130,536,198,019,976,749,447,352,801 unique combinations.

Let's say it takes 1 second to try each, it would take you 2.46e45 years.

Also, I believe there was an actual issue with revoltchat/autumn relating to the cache, but I've since fixed it. No data persists after delete.

insertish commented 2 years ago

Closing due to inactivity.

I2rys commented 2 years ago

insertish is the one who is right here. You can't bruteforce that. 💀