Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Privacy issue: Accesses to external sites from private installation #1010

Open
beat opened this issue Jun 27, 2021 · 1 comment
Open

Privacy issue: Accesses to external sites from private installation #1010

beat opened this issue Jun 27, 2021 · 1 comment
Assignees
@d-mo
Labels
bug

Comments

@beat
Copy link

beat commented Jun 27, 2021

A private installation through docker-compose accesses following external sites by default:

  1. mist.io
  2. js.stripe.com, m.stripe.network
  3. gravatar.com
  4. io.wp.com

This allows those sites to spy the installation existence through the http Referer, and for Stripe through the URL as well, and additionally to actually access through JS all HTML content on the page (including private keys and passwords). It renders the mist.io vulnerable to a potential breach and/or vulnerabilities of stripe.com.

I am reporting this privacy issue and security issue publicly, since it is a very low risk vulnerability (as it basically requires a breach in Stripe.com to become exploitable), and mainly a privacy issue, which is deserving transparency.

Here a few suggestions to remove any external accesses from mist.io webpages:

  1. and 4. : mist.io and io.wp.com are just for fetching the default user icon, so can easily be changed to a local version of the icon.

  2. gravatar.com tries to fetch the user picture, but this feature should be off by default.

  3. stripe.com is fetched on all pages, instead of only the payments page when the user actually wants to upgrade. However, it is considered bad practice to have the payment page hosted elsewhere than on your own domain. This is against normal rules can give a bad reputation to your own payment provider (e.g. if your software is used on sites with content prohibited by the payment provider.

Here the URLs accessed (seen through browser debug/network) e.g. on the Teams page:

  1. https://mist.io/ui/assets/user.png
  2. https://js.stripe.com/v2/
  3. https://js.stripe.com/v2/channel.html?stripe_xdm_e=http%3A%2F%2F10.0.0.2&stripe_xdm_c=default89171&stripe_xdm_p=1#__stripe_transport__
  4. https://js.stripe.com/v2/m/outer.html#referrer=&title=Mist%20CE&url=http%3A%2F%2F10.0.0.2%2Fteams&muid=6d46154b-c7e9-4608-840d-505f10cb6eaa6e2f49&sid=eaf14818-6e6b-4b0d-b27e-016af103605b50ed41&version=6&preview=false&
  5. https://js.stripe.com/v2/
  6. https://m.stripe.network/inner.html#referrer=&title=Mist%20CE&url=http%3A%2F%2F10.0.0.2%2Fteams&muid=6d46154b-c7e9-4608-840d-505f10cb6eaa6e2f49&sid=eaf14818-6e6b-4b0d-b27e-016af103605b50ed41&version=6&preview=false&
  7. https://www.gravatar.com/avatar/b67b5926b459623d2f0e0b389059f072.jpg?s=40&d=https://mist.io/ui/assets/user.png
  8. https://m.stripe.network/out-4.5.35.js
  9. https://m.stripe.com/6
  10. https://i0.wp.com/mist.io/ui/assets/user.png?ssl=1
  11. https://m.stripe.com/6
  12. https://m.stripe.com/6
  13. https://m.stripe.com/6
@d-mo
Copy link
Member

d-mo commented Jun 27, 2021

Thank you for reporting this. We were aware of the stripe.js issue and we're planning to address it in one of the upcoming releases, most likely in 4.6. We'll look into the other issues as well.

@d-mo d-mo self-assigned this Jun 27, 2021
@d-mo d-mo added the bug label Jun 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@d-mo d-mo

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@beat @d-mo