Why does GateHub allow public access to emails of its customers?

[T8493]

1. Basics

For example, query

https://api.gatehub.net/search/search?query=+enej

returns

{"total":2,"max_score":3.1815104,"hits":[{"_index":"profile","_type":"profile","_id":"2d793750-866d-9c77-2cb6-8ad5a6779e41","_score":3.1815104,"_source":{"uuid":"2d793750-866d-9c77-2cb6-8ad5a6779e41","first_name":"Enej","last_name":"Pungercar","ripple_address":"rGhATPPU4tCfYF5mwrYoMsrDp23eKdsULU","address":"rGhATPPU4tCfYF5mwrYoMsrDp23eKdsULU","type":10,"name":"enej"}},{"_index":"profile","_type":"profile","_id":"09a5061b-8950-4638-b3dd-6ae9220787bb","_score":2.8104534,"_source":{"email":"enej+55555@gatehub.net","last_name":null,"uuid":"09a5061b-8950-4638-b3dd-6ae9220787bb","first_name":null}}]}

This response includes:

• first and last names (Enej Pungercar)
• user id (2d793750-866d-9c77-2cb6-8ad5a6779e41)
• GateHub name (enej)
• email (enej+55555@gatehub.net),
• ripple address (rGhATPPU4tCfYF5mwrYoMsrDp23eKdsULU)

It is also possible to search by first and last names:

https://api.gatehub.net/search/search?query=first_name:gregor

 

I think they use ElasticSearch and therefore it is probably possible to construct other (more complex) queries.

This API is also used in the GateHub UI.

 

 

2. Possible attacks

Attacker could easily scrap all details about GateHub users and use it to attack them. At least it could generate a database of emails of GateHub users and use it for sending phishing emails. ReCAPTCHA certainly won't stop him. Some people think there are no additional safeguards.

I'm starting to believe this API could be the "source" of email addresses in some recent phishing attacks.

User ids can be used in conjunction with other attacks.

 

3. Images

It is also possible to construct URLs with images:

https://s3.eu-central-1.amazonaws.com/gatehub.prod.storage/2d793750-866d-9c77-2cb6-8ad5a6779e41-small
https://s3.eu-central-1.amazonaws.com/gatehub.prod.storage/5f059a8b-3921-5085-50c5-0250245b49b5-small

 

4. Some other interesting queries

GateHub has probably around 29500 users (Customers): https://api.gatehub.net/search/search?query=*

It is probably possible to get around 2-3k emails using this method: https://api.gatehub.net/search/search?query=email:*

 

5. Legal stuff

Emails and first and last names are clearly not in the "public storage component" according to Privacy policy:

Quote

(1) a public storage component, which contains the Ripple name you create when setting up a Ripple Wallet via GateHub;

(3) an ID storage component, which includes contact and other identifiable information you provide about yourself, including the email address you provide when first setting up a Ripple Wallet and any information you submit for identity verification purposes.

However, users must opt-in for the inclusion in this public index:

Quote

At your direction, we will share information from the ID storage component with other parties. For instance, you may direct us to send this information to a Ripple Protocol gateway or other third-party service accessible via GateHub. Use of your information by these third parties will be subject to their privacy policies.

 

 

6. Questions for @gatehub

1. Why are the details (especially emails) included in the search results?
2. Why this API doesn't require authentication?
3. How did the users opt-in for the inclusion in the public search index?
4. How can users opt-out from the inclusion in the public search index?
5. Does GateHub log queries to this search API? Which information is logged?
6. If user's email is public, how can user be sure that "other parties" process his email in concordance with their privacy policies? Users don't even know who are these "other parties".

 

Regarding 3 and 4: I don't see any specific UI component that would allow opting-in or opting-out from this "feature".

 

 

Edited August 15, 2016 by T8493

[Guest]

That could explain the phishing mails that some users received earlier this year, in which the phisher did not only have access to email, but also the ripple address and friendly name of that address.This can not possibly be an intended "feature", this is a bug, and a gigantic one.This website should be shut down IMMEDIATELY until this hole is fixed. Right now it is super easy to collect all users, with a firstname dictionary. Since the api even allows wildcards, its easy to collect the ENTIRE user database from Gatehub, and match funds to emailaddress.

I've moved my funds out of there yesterday. Anyone that knows my first name can verify that now

Edited August 15, 2016 by Guest

[T8493]

12 minutes ago, lucky said:

Since the api even allows wildcards, its easy to collect the ENTIRE user database from Gatehub, and match funds to emailaddress.

Not entire because some search results include only user ids (no email, etc.) AFAIK.

 

 

[DarthTrader]

What! I mean WTF!!!!

[Guest]

1 minute ago, T8493 said:

Not entire because some search results include only user ids (no email, etc.) AFAIK.

the email=* also includes email. combined with other queries you can stitch everything together, and attacker has your ripple address, your email, your (KYC verified) real name, and (thanks to the ripple public ledger) your full payment history. Plus maybe more, who knows what other holes there are.

[Guest]

I've send mail to support, lets see how fast they respond, and wether they realize the seriousness of this.

[Guest]

Got response from @enej that he does not consider it a security issue, but that public search is part of their "GateHub Name" service". He just disabled it nevertheless.

Please, Ripple, ultimately this is your name on the line, throw some money to this urgent problem, do an external security audit, explain to them that making private information public without permission from their users (I have certainly not agreed to this  when signing up) cannot possibly be part of their service, and help them to fix these problems, and probably many more problems that we don't yet know about. Tick... tick... tick...

Edited August 15, 2016 by Guest

[T8493]

15 minutes ago, lucky said:

Got response from @enej that he does not consider it a security issue, but that public search is part of their "GateHub Name" service". He just disabled it nevertheless.

Is GateHub Name service alive? According to their help page it is not, but I haven't checked it for a while.

 

 

Edited August 15, 2016 by T8493

[Hodor]

13 minutes ago, lucky said:

public search is part of their "GateHub Name" service"

I don't think the severity of this breach has sunk in with him just yet.  @T8493, thank you for bringing this to his attention, although I would have preferred you did that prior to posting on the public forum, and then published the interaction - you would have received the same amount of gratitude, but posting here first might have allowed further capture of email addresses by malicious sources. 

[Hodor]

54 minutes ago, lucky said:

I've send mail to support, lets see how fast they respond, and wether they realize the seriousness of this.

Thanks for notifying Enej! 

[jn_r]

Are these issues first discussed with Gatehub, or is there a reason why these things are discussed en public?

I mean, it's great to see that these things are checked and it will benefit the security of Gatehub. But, on the other hand, you damage the reputation of Gatehub, not all discovered security holes might actually be security holes and if there are really serious security issues it is better to first let the company know before publication so they can fix the security hole if necessary.

[T8493]

7 minutes ago, jn_r said:

Are these issues first discussed with Gatehub, or is there a reason why these things are discussed en public?

What makes you believe GateHub is interested in discussing such issues in private?

If they were, there probably wouldn't be just 5 "contributors" on this page: https://gatehub.net/whitehat (this URL was recently published on this forum, I don't know how is it possible to get to it using the GateHub navigation links).

 

 

Quote

I mean, it's great to see that these things are checked and it will benefit the security of Gatehub. But, on the other hand, you damage the reputation of Gatehub, not all discovered security holes might actually be security holes and if there are really serious security issues it is better to first let the company know before publication so they can fix the security hole if necessary.

According to @enej this is not a security issue.

 

 

Edited August 15, 2016 by T8493

[jn_r]

1 minute ago, T8493 said:

What makes you believe GateHub is interested in discussing such issues in private?

If they were, there probably wouldn't be just 5 "contributors" on this page: https://gatehub.net/whitehat (this URL was published on this forum, I don't know how is it possible to get to it using the GateHub navigation links).

They should be interested. But I'd give them a week or so to react if you send to that  https://gatehub.net/whitehat adress.. If they do not react or their answer is unsatisfactory, then you can publish..

[T8493]

Just now, jn_r said:

They should be interested.

Yes, they SHOULD be interested.....

 

[joy]

2 hours ago, lucky said:

That could explain the phishing mails that some users received earlier this year, in which the phisher did not only have access to email, but also the ripple address and friendly name of that address.This can not possibly be an intended "feature", this is a bug, and a gigantic one.This website should be shut down IMMEDIATELY until this hole is fixed. Right now it is super easy to collect all users, with a firstname dictionary. Since the api even allows wildcards, its easy to collect the ENTIRE user database from Gatehub, and match funds to emailaddress.

I've moved my funds out of there yesterday. Anyone that knows my first name can verify that now

Where did you moved your funds to? 

Ripple needs to provide a trusted desktop wallet  so we can secure our money  Until gatehub deploy its "and to and  security "...