Massive security problem!

Bug reports
1

Please fill out these questions for all feature requests and bug reports. If you're requesting a feature, please let us know why this feature is important or useful, not just what it should do.
Thanks!

  1. What browsers show this problem? serverside/all
  2. Please share an example project (if possible).
  3. Describes the steps to reproduce this issue. snap.berkeley.edu/users/(username)
  4. What does Snap! currently do? Reveal user information that should not be public.
    {"created:"(date)","id":(number),"role":"(role)","email":"(user@domain.tld)","username":"(username)","verified":(true/false)}
  5. What should Snap! do instead? respond with a big fat HTTP 403

please thanos :snap: this bug

2

Whoa! Right you are, we shouldn't be leaking email addresses. Thanks for reporting it!

@bromagosa, this one's for you.

3

Hmmm... Are you sure? Did you try with a different user than yourself? (Not you, @bh, you're an admin)

4

I've just tried it. It does leak any user's information.
EDIT: I've also searched archive.org, but they don't have any record, so that's OK.

5

Okay, I'm totally overworked right now and can't spend a minute on anything else :worried:

Can @cycomachead take a look maybe?

6

As am I.

I’ll see what I can do. I don’t have a good idea of everywhere this is used.

Also, for security issues PLEASE do not report things publicly.

I am double booked

7

I support this suggestion. It sounds like a good idea.

8

Found and fixed. It was a stupid operator precedence error that was affecting not just this one user permission assertion... :worried:

Thanks for reporting!

p.s. As @cycomachead suggested, in the future please use contact@snap.berkeley.edu to report security issues.

9

I forgot to say, this kind of error could have never happened in a blocks-based language! :stuck_out_tongue_winking_eye:

10

Bless you!

11

By the way, I didn't try this on anyone other than another account I had.