Discobot Certificate Issues [title, public access, user id information leak]

Hi everyone,

we just discovered three things while testing our new Discourse site with the certificate created by discobot after finishing the tutorial:

  1. the html ‘title’ tag is “test_cert”
  2. the certificate can be accessed without beiing logged in to Discourse
  3. the certificate is created dynamically by getting the user_id within the URL. Using this anyone can go through all user_id from 1 to * and get info about all created users.

Especially the third point bothers us as we try to not publish any user info of users unless they post actively. This together with point 2 is big information leak…

Example:
https://meta.discourse.org/discobot/certificate.svg?date=Aug+08+2018&user_id=43951

2 Likes

Hmm any thoughts @tgxworld? We don’t want randos generating certs, so at minimum anons shouldn’t be able to do this.

I’ll fix this next week once I’m back from my short break :grin:

@bkampmeyer Is your site a login only forum? The only info exposed by the SVG is the username and that could potentially allow them to access more public information via the /u/<username> route. However, I don’t see it as an information leak since the information is meant to be public.

5 Likes

Hey Jeff and Alan,

thanks for your quick replies! Really appreciate that!

Nope, it’s not as we want it readable to everyone. However, we want to protect as much information as possible from our accounts which don’t post.

The latter is used by us to let people get mails when we publish News (by ‘watching’ the category).
As it’s a special use case I’m not sure how many people will be troubled by this behaviour…

I’m more worried about the ddos type effect if we let anons create the certs.

Hmm but if someone is going to write a script and loop through all the possible user ids, they can do the same with the /u/<username> route.

2 Likes

I can think of more expensive routes people could hit if they wanted to hurt us, generating the svg cert is super cheap

Also, you can get user lists more efficiently by going to directory which lists chunks of 30 or so to anon

I really see no urgency to change anything here

Of couse, but incrementing the user_id is much more efficient than creating random usernames.

Could you specify that? Which directory will list the users?

https://meta.discourse.org/u

You can also just crawl the forum and collect usernames, I am failing to see the drama or urgency here

2 Likes

The ‘/u’ doesn’t work if you disable the setting ‘enable user directory’.

No urgent drama from my side but if you try everything to hide users who don’t post on public categories this certificate behavior isn’t very pleasant…

At minimum only logged in users should be able to trigger it though.

1 Like

Oh we will fix this for sure, I just think it can wait till Monday, you should only be allowed to generate the svg file for yourself really

3 Likes

You are headed down a long rabbit hole here, what about autocomplete JSON api, type @a in a post and you can see the call. Fishing out all usernames is trivial that way. Seal that and then what about search, it searches for usernames, even anon gets to do that.

At some point you are destroying usability cause of an incorrect assumption

Starting to see that as well, thanks for the other hints regarding the userlists nonetheless!

I’m aware that Discourse wasn’t designed with such use cases in mind and that it’s quite a complex software so ensuring no user information is publicly available is either naive or unrealistic.

Apart from little customization issues we’re really thrilled by Discourse and it’s abilities, thanks for coding/testing/thinking/setting up/sharing!

Fixed in

Thank you for reporting @bkampmeyer

This is done in

3 Likes