We're Hiring!

Mattermost Discussion Forums

Users able to join private channel using URL

What is happening :-

If a user pastes the URL of a private channel in a public channel in the team, any user who is not a member of private channel is able to click on the link and join that private channel.

Expected :-

The same channel should Ideally open with a message that you are not allowed access to the channel.

Is this the behaviour I’m observing standard behaviour? If so, is there some way I can change it?

Thanks.

@ahmaddanial could you perhaps provide further insight or escalate this? It seems to me, based on just the information in the original message, and the prior experience I have with situations such as this, that there is an instance of improper access control (which, for what it’s worth, can be taken as a security bug as well) due to the fact that it would seem that there is no validation of the logged-in user’s permission to access a given channel.

If this is the case, I would suggest a JSON array of some form, or something like that, of all channel IDs that a given user is allowed to access, and when switching channels, the comparison of the channel ID that the user is attempting to navigate to, against the list of permitted channel ID’s. The result would be a True/False statement, True meaning yes the user can access, False indicating permission denied, etc.

Thanks!

1 Like

@XxLilBoPeepsxX I will have to dig deeper into this before I go escalate this to the team internally.

@sahil7 A couple of questions from my side:

  • Can you confirm specifically which version of Mattermost Server are you running on?

  • Also, can you confirm if you are using AD/LDAP to manage channel membership here?

  • If you are on enterprise license, can you confirm how does the channel management section for a sample channel that is affected by this issue?

Just to make sure that I am covering all the possible aspects of this behavior. Keep me posted.

1 Like

I’m personally a bit curious about this one, so I am going to see if I can spin up a new instance to test against if I can get the time soon to do so.

I can definitely confirm this security issue. We are using version 5.25.0 (Community Edition), but with local user management (no AD/LDAP).
If someone shares the link of a private channel to users who have not been invited to that channel before, they can add themselves to the channel. Without any further authorization check.

1 Like

@ahmaddanial If I create a working proof-of-concept video showing the exploit in action, would that be grounds for escalation to security, do you think? I’m seeing this as a potential improper access controls bug.

1 Like

If you’re able to reproduce, please report it via Report a Security Vulnerability - Mattermost.

2 Likes

Hi, @XxLilBoPeepsxX

As per @amy.blais , you can raise a sec report through the link she shared. Thanks!

1 Like

I just have spun up a new instance of the latest release, I’m testing it now, I’ll report back on my findings and if applicable submit a report here shortly :slight_smile:

UPDATE:

Just tested with Mattermost self-hosted version 5.36.0 and It’s not allowing a non-permitted user to join the private channel. I’m going to test the version(s) that were found to be affected by the issue next.

1 Like

Update: joining a private channel with the channel link without invitation is only possible, if the “user” has “system admin” privileges.
So it’s not a security problem in that sense, but it’s a very strange behavior.

1 Like