Skip to content
This repository has been archived by the owner on Jan 14, 2020. It is now read-only.

🐃 Avatar can be used to track viewers #526

Open
DanielVF opened this issue Sep 21, 2018 · 0 comments
Open

🐃 Avatar can be used to track viewers #526

DanielVF opened this issue Sep 21, 2018 · 0 comments
Labels
bug Something isn't working as intended javascript origin.js security

Comments

@DanielVF
Copy link
Collaborator

DanielVF commented Sep 21, 2018
edited
Loading

There's nothing preventing the avatar image from being an http link. This allows a user to get the ip address/browser/etc for everyone that views one of their listings or their profile. Could also be used to get the IP addresses of counterparties or arbitrators.

We need to remove avatar images that are not data urls.

To test:

await originTest.users.set({profile:{
    firstName:"The Black",
    lastName:"Team",
    avatar:"http://localhost/evilTracker.gif"
}})
@DanielVF DanielVF added bug Something isn't working as intended security labels Sep 21, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working as intended javascript origin.js security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@DanielVF @micahalcorn @franckc