FIX User private info exposed #303

tyagishuchi1 · 2020-07-20T09:34:49Z

Any user's private profile info can be accessed publicly via anybody as long as the wallet address is known. And since the Smart contract's addresses are public and the Oath Keeper/Advocate openly mentions the list of wallets, addresses can be very easily accessed. Although all APIs expose data publicly, but with this API a wallet address can be attached to a user's real world identity.
It also exposes the id related to the user which makes the JBP DB too predictable for resource harvesting.

Expected Behavior

The API should only return the info if the user is authorized

Environment: Beta/Test/Temp

Send a GET request to https://beta.jur.io/api/v1/user providing wallet as a header

The text was updated successfully, but these errors were encountered:

mtmsuhail · 2020-07-22T09:18:44Z

@tyagishuchi1 This issue reported earlier, this also an issue with many other end-points

Ex:-

Send a DELETE request to https://beta.jur.io/api/v1/user providing wallet as a header
Send a PUT request to https://beta.jur.io/api/v1/user providing wallet as a header with body content

Solution: We should authenticate the wallet using some methods like this

tyagishuchi1 added bug Highest priority production Needs to be addressed in production labels Jul 20, 2020

tyagishuchi1 added this to the Legacy milestone Jul 20, 2020

ashishjur assigned mtmsuhail, 0xlyd and marcomarasco Jul 22, 2020

czareko unassigned marcomarasco Oct 29, 2021