T8493 Posted August 15, 2016 Share Posted August 15, 2016 (edited) 1. Basics For example, query https://api.gatehub.net/search/search?query=+enej returns {"total":2,"max_score":3.1815104,"hits":[{"_index":"profile","_type":"profile","_id":"2d793750-866d-9c77-2cb6-8ad5a6779e41","_score":3.1815104,"_source":{"uuid":"2d793750-866d-9c77-2cb6-8ad5a6779e41","first_name":"Enej","last_name":"Pungercar","ripple_address":"rGhATPPU4tCfYF5mwrYoMsrDp23eKdsULU","address":"rGhATPPU4tCfYF5mwrYoMsrDp23eKdsULU","type":10,"name":"enej"}},{"_index":"profile","_type":"profile","_id":"09a5061b-8950-4638-b3dd-6ae9220787bb","_score":2.8104534,"_source":{"email":"enej+55555@gatehub.net","last_name":null,"uuid":"09a5061b-8950-4638-b3dd-6ae9220787bb","first_name":null}}]} This response includes: first and last names (Enej Pungercar) user id (2d793750-866d-9c77-2cb6-8ad5a6779e41) GateHub name (enej) email (enej+55555@gatehub.net), ripple address (rGhATPPU4tCfYF5mwrYoMsrDp23eKdsULU) It is also possible to search by first and last names: https://api.gatehub.net/search/search?query=first_name:gregor I think they use ElasticSearch and therefore it is probably possible to construct other (more complex) queries. This API is also used in the GateHub UI. 2. Possible attacks Attacker could easily scrap all details about GateHub users and use it to attack them. At least it could generate a database of emails of GateHub users and use it for sending phishing emails. ReCAPTCHA certainly won't stop him. Some people think there are no additional safeguards. I'm starting to believe this API could be the "source" of email addresses in some recent phishing attacks. User ids can be used in conjunction with other attacks. 3. Images It is also possible to construct URLs with images: https://s3.eu-central-1.amazonaws.com/gatehub.prod.storage/2d793750-866d-9c77-2cb6-8ad5a6779e41-smallhttps://s3.eu-central-1.amazonaws.com/gatehub.prod.storage/5f059a8b-3921-5085-50c5-0250245b49b5-small 4. Some other interesting queries GateHub has probably around 29500 users (Customers): https://api.gatehub.net/search/search?query=* It is probably possible to get around 2-3k emails using this method: https://api.gatehub.net/search/search?query=email:* 5. Legal stuff Emails and first and last names are clearly not in the "public storage component" according to Privacy policy: Quote (1) a public storage component, which contains the Ripple name you create when setting up a Ripple Wallet via GateHub; (3) an ID storage component, which includes contact and other identifiable information you provide about yourself, including the email address you provide when first setting up a Ripple Wallet and any information you submit for identity verification purposes. However, users must opt-in for the inclusion in this public index: Quote At your direction, we will share information from the ID storage component with other parties. For instance, you may direct us to send this information to a Ripple Protocol gateway or other third-party service accessible via GateHub. Use of your information by these third parties will be subject to their privacy policies. 6. Questions for @gatehub Why are the details (especially emails) included in the search results? Why this API doesn't require authentication? How did the users opt-in for the inclusion in the public search index? How can users opt-out from the inclusion in the public search index? Does GateHub log queries to this search API? Which information is logged? If user's email is public, how can user be sure that "other parties" process his email in concordance with their privacy policies? Users don't even know who are these "other parties". Regarding 3 and 4: I don't see any specific UI component that would allow opting-in or opting-out from this "feature". Edited August 15, 2016 by T8493 MundoXRP, FMGC, rippleric and 6 others 9 Link to comment Share on other sites More sharing options...
Guest Posted August 15, 2016 Share Posted August 15, 2016 (edited) That could explain the phishing mails that some users received earlier this year, in which the phisher did not only have access to email, but also the ripple address and friendly name of that address.This can not possibly be an intended "feature", this is a bug, and a gigantic one.This website should be shut down IMMEDIATELY until this hole is fixed. Right now it is super easy to collect all users, with a firstname dictionary. Since the api even allows wildcards, its easy to collect the ENTIRE user database from Gatehub, and match funds to emailaddress. I've moved my funds out of there yesterday. Anyone that knows my first name can verify that now Edited August 15, 2016 by Guest Link to comment Share on other sites More sharing options...
T8493 Posted August 15, 2016 Author Share Posted August 15, 2016 12 minutes ago, lucky said: Since the api even allows wildcards, its easy to collect the ENTIRE user database from Gatehub, and match funds to emailaddress. Not entire because some search results include only user ids (no email, etc.) AFAIK. DarthTrader and FMGC 2 Link to comment Share on other sites More sharing options...
DarthTrader Posted August 15, 2016 Share Posted August 15, 2016 What! I mean WTF!!!! Link to comment Share on other sites More sharing options...
Guest Posted August 15, 2016 Share Posted August 15, 2016 1 minute ago, T8493 said: Not entire because some search results include only user ids (no email, etc.) AFAIK. the email=* also includes email. combined with other queries you can stitch everything together, and attacker has your ripple address, your email, your (KYC verified) real name, and (thanks to the ripple public ledger) your full payment history. Plus maybe more, who knows what other holes there are. Link to comment Share on other sites More sharing options...
Guest Posted August 15, 2016 Share Posted August 15, 2016 I've send mail to support, lets see how fast they respond, and wether they realize the seriousness of this. Link to comment Share on other sites More sharing options...
Guest Posted August 15, 2016 Share Posted August 15, 2016 (edited) Got response from @enej that he does not consider it a security issue, but that public search is part of their "GateHub Name" service". He just disabled it nevertheless. Please, Ripple, ultimately this is your name on the line, throw some money to this urgent problem, do an external security audit, explain to them that making private information public without permission from their users (I have certainly not agreed to this when signing up) cannot possibly be part of their service, and help them to fix these problems, and probably many more problems that we don't yet know about. Tick... tick... tick... Edited August 15, 2016 by Guest Link to comment Share on other sites More sharing options...
T8493 Posted August 15, 2016 Author Share Posted August 15, 2016 (edited) 15 minutes ago, lucky said: Got response from @enej that he does not consider it a security issue, but that public search is part of their "GateHub Name" service". He just disabled it nevertheless. Is GateHub Name service alive? According to their help page it is not, but I haven't checked it for a while. Edited August 15, 2016 by T8493 Link to comment Share on other sites More sharing options...
Hodor Posted August 15, 2016 Share Posted August 15, 2016 13 minutes ago, lucky said: public search is part of their "GateHub Name" service" I don't think the severity of this breach has sunk in with him just yet. @T8493, thank you for bringing this to his attention, although I would have preferred you did that prior to posting on the public forum, and then published the interaction - you would have received the same amount of gratitude, but posting here first might have allowed further capture of email addresses by malicious sources. Haraldo, jn_r, Pucguy37 and 2 others 5 Link to comment Share on other sites More sharing options...
Hodor Posted August 15, 2016 Share Posted August 15, 2016 54 minutes ago, lucky said: I've send mail to support, lets see how fast they respond, and wether they realize the seriousness of this. Thanks for notifying Enej! enej 1 Link to comment Share on other sites More sharing options...
jn_r Posted August 15, 2016 Share Posted August 15, 2016 Are these issues first discussed with Gatehub, or is there a reason why these things are discussed en public? I mean, it's great to see that these things are checked and it will benefit the security of Gatehub. But, on the other hand, you damage the reputation of Gatehub, not all discovered security holes might actually be security holes and if there are really serious security issues it is better to first let the company know before publication so they can fix the security hole if necessary. enej 1 Link to comment Share on other sites More sharing options...
T8493 Posted August 15, 2016 Author Share Posted August 15, 2016 (edited) 7 minutes ago, jn_r said: Are these issues first discussed with Gatehub, or is there a reason why these things are discussed en public? What makes you believe GateHub is interested in discussing such issues in private? If they were, there probably wouldn't be just 5 "contributors" on this page: https://gatehub.net/whitehat (this URL was recently published on this forum, I don't know how is it possible to get to it using the GateHub navigation links). Quote I mean, it's great to see that these things are checked and it will benefit the security of Gatehub. But, on the other hand, you damage the reputation of Gatehub, not all discovered security holes might actually be security holes and if there are really serious security issues it is better to first let the company know before publication so they can fix the security hole if necessary. According to @enej this is not a security issue. Edited August 15, 2016 by T8493 Link to comment Share on other sites More sharing options...
jn_r Posted August 15, 2016 Share Posted August 15, 2016 1 minute ago, T8493 said: What makes you believe GateHub is interested in discussing such issues in private? If they were, there probably wouldn't be just 5 "contributors" on this page: https://gatehub.net/whitehat (this URL was published on this forum, I don't know how is it possible to get to it using the GateHub navigation links). They should be interested. But I'd give them a week or so to react if you send to that https://gatehub.net/whitehat adress.. If they do not react or their answer is unsatisfactory, then you can publish.. T8493 1 Link to comment Share on other sites More sharing options...
T8493 Posted August 15, 2016 Author Share Posted August 15, 2016 Just now, jn_r said: They should be interested. Yes, they SHOULD be interested..... Link to comment Share on other sites More sharing options...
joy Posted August 15, 2016 Share Posted August 15, 2016 2 hours ago, lucky said: That could explain the phishing mails that some users received earlier this year, in which the phisher did not only have access to email, but also the ripple address and friendly name of that address.This can not possibly be an intended "feature", this is a bug, and a gigantic one.This website should be shut down IMMEDIATELY until this hole is fixed. Right now it is super easy to collect all users, with a firstname dictionary. Since the api even allows wildcards, its easy to collect the ENTIRE user database from Gatehub, and match funds to emailaddress. I've moved my funds out of there yesterday. Anyone that knows my first name can verify that now Where did you moved your funds to? Ripple needs to provide a trusted desktop wallet so we can secure our money Until gatehub deploy its "and to and security "... Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now