Just a short reminder to anonymize data on the server-side and not in the browser, illustrated by a small privacy vulnerability I've found during, well, a security talk I've attended that took place on the ClickMeeting platform (it was still 10 minutes before the talk began you understand).
Props to ClickMeeting for a fast reaction time and good communication - this bug is long fixed (reported on April 7th 2021).
Original report (though redacted a bit) follows:
Hey folks,
I've joined a webinar hosted on clickmeeting platform today, and noticed one
thing which I found curious.
The webinar I attended had chat enabled, however there seem to be some "privacy
mode" enabled for attendees - i.e. the chat didn't display the list of people
(which is pretty standard nowadays I guess), nor one's name when writing a
message - but only initials, e.g. (picture inline):
This sounds like a pretty cool feature and I believe is described in this
article on your blog.
"When it comes to running webinars, other attendees will no longer see other
attendees’ names. Due to security reasons, it will be impossible to identify any
attendees in the event room."
That being said, the actual WebSocket communication contained both:
1) The full name of the person:
2) And the full list of people attending the webinar:
JSON packet sniffed from the WebSocket traffic for the picture above:
[
"chat.newMessages",
"CC",
[
{
"id": 804911256869,
"uid": UID REMOVED FROM BLOG POST,
"type": "message",
"content": "CONTENT REMOVED FROM BLOG POST",
"userName": "FULL NAME REMOVED FROM BLOG POST",
"timestamp": 1617704463000,
"time": "Tue, 06 Apr 2021 10:21:03 GMT",
"moderationStatus": -1,
"isDiscussed": false,
"to": -1,
"role": 1,
"conferenceId": 4875343,
"replyData": {},
"sharedFiles": []
}
]
]
The obvious suggestion for a fix is to do the name-to-initials conversion on the
server side instead, and perhaps additionally hide/obfuscate the "uid" if it's
persistent between different webinars (I'm guessing it's not, but you know the
system better).
Important: Please assume this is reported under the industry-standard 90-day
policy (like this one), i.e. information about this vulnerability will be shared
with the defensive community 90 days from now (7th July 2021).
P.S. Regardless of the above, please consider adding some information about how
to contact your security team on your website.
The usual way is:
1. Add the contact details at https://clickmeeting.com/.well-known/security.txt
(see this, this and this for details).
2. Add a way to report vulnerabilities at
https://knowledge.clickmeeting.com/privacy-security/ (e.g. this e-mail address).
3. Add a way to report vulnerabilities to https://disclose.io/programs/
database.
By the way...
There are more blog posts you might like on my company's blog: https://hexarcana.ch/b/
Kind regards,
--
Gynvael Coldwind
Add a comment: