Screenshots posted (pasted) into Private Chatroom are stored in insecure manner
HackerOne report #817442 by letstryharder
on 2020-03-12, assigned to @cmaxim:
Summary
Note: I am already aware that files.gitter.im maybe an out of scope asset, however, the vulnerability I am referring to is partially part of the main asset, Gitter.im messaging functionality (posting and uploading screenshots) in (private) chatrooms.
Gitter allows users to paste Screenshots in chatrooms as messages, however, the Screenshots are insecurely uploaded to ![https://files.gitter.im/qazxsw/qazxsw/MlvQ/image.png]
In case of private chatrooms, the secret parameter which happens to be MlvQ can be easily brute-forced by an attacker due to its low entropy (60606060* combinations, at most, and less practically). An attacker maybe someone who was a part of the Gitter chatroom (or, team) in the past but has now been removed so they already should be knowing the chatroom path (https://files.gitter.im/b0shaha/tessss) or, maybe able to guess it if its simpler.
Further, upon deletion of message (posted screenshot), the file isn't removed which is a bad idea for the security of the user especially in a private chatroom context. There is thus, no way to delete once-uploaded screenshots.
Steps to reproduce
- Make a Gitter private room on gitter.im, say https://gitter.im/b0shaha/tessss/ for instance.
- Take a screenshot of any page <PrntScr>
- Paste it onto Gitter private chatroom message section <Ctrl+V>. The screenshot is uploaded to
for example, https://files.gitter.im/qazxsw/qazxsw/MlvQ/image.png
Now, any person in knowledge of the path https://files.gitter.im/b0shaha/tessss/ or, who has been part of the tessss private chatroom in the past is aware of it, so its very easy to brute-force and obtain any internal screenshots due to the low entropy of the MlvQ id in the uploaded file path making it susceptible to exposure.
Impact
This vulnerability allows any ex-team member (who has now been removed from gitter private chatroom) or, anyone who can guess the private chat room name (tessss as in this example), to enumerate (brute-force) easily and expose internal screenshots pasted (posted) into private Gitter chatrooms due to the weak MlvQ file upload path id and absence of file signature in the uploaded screenshot (https://files.gitter.im/qazxsw/qazxsw/MlvQ/image.png) for example.
Further, once uploaded to gitter server, the files are not delete-able so even if message is deleted, the file remains.
What is the current bug behavior?
Screenshots pasted to Gitter are insecurely uploaded to https://files.gitter.im/qazxsw/qazxsw/MlvQ/image.png where, the MlvQ (secret) can be guessed/brute-forced by an attacker feasibly to obtain internal screenshots for example, from private gitter chatrooms.
What is the expected correct behavior?
The uploaded screenshots should be accessible only using strong file signatures (or, stronger file upload paths which can't be easily brute-forced unlike in this case) in case of private chatrooms so as to avoid exposure of internal gitter private chatroom data.
Impact
This vulnerability allows any ex-team member (who has now been removed from gitter private chatroom) or, anyone who can guess the private chat room name (tessss as in this example), to enumerate (brute-force) easily and expose internal screenshots pasted (posted) into private Gitter chatrooms due to the weak MlvQ file upload path id and absence of file signature in the uploaded screenshot (https://files.gitter.im/qazxsw/qazxsw/MlvQ/image.png) for example.
Further, once uploaded to gitter server, the files are not delete-able so even if message is deleted, the file remains.
Thus, this leads to exposure of internal private chatroom screenshot data through brute-force (feasible).