Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Private rooms information leak via URLs #6807

Closed
madduck opened this issue May 27, 2018 · 2 comments
Closed

Private rooms information leak via URLs #6807

madduck opened this issue May 27, 2018 · 2 comments

Comments

@madduck
Copy link

madduck commented May 27, 2018

I am sorry if this is a duplicate, I did try to look for open issues using all the usual keywords, but without success.

So we have a private room, and in it, we shared a semi-secret document (via upload). Circumstance had it that someone accidentally leaked the URL to the scan to another forum. He immediately noticed, but there was nothing we could do, AFAICT, for knowledge of the URL would allow anyone to download the scan. One doesn't even need to be logged in to Riot/Matrix, let alone be a member of the room.

This is bad, and I'd argue that media URLs should essentially default to 403s or 401s, unless credentials are provided and those would be enough to let you see the media in Riot.
@t3chguy
Copy link
Member

t3chguy commented May 27, 2018

Duplicate of https://github.com/matrix-org/matrix-doc/issues/701

@t3chguy t3chguy closed this as completed May 27, 2018
@madduck
Copy link
Author

madduck commented May 27, 2018

Silly me, @t3chguy. Too early in the morning, and too few coffees, as to think this was in any way a UI problem. Sorry about that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@madduck @t3chguy