Severe privacy threat: re-registering a deleted account gives access to private DMs.
- Installation type: unknown
- Pleroma version (could be found in the "Version" tab of settings in Pleroma-FE): confirmed on 2.0.0 as well as 2.0.50-153-g8bd5ad86-develop.
- Elixir version (
elixir -vfor from source installations, N/A for OTP): unknown
- Operating system: unknown
- PostgreSQL version (
postgres -V): unknown
When you delete an account, its posts (including private Direct Messages (DMs) sent by the account) get removed from the server, as should. However, incoming posts sent to the account are not deleted. After deletion, the username of the account is free to be registered again by a different user and using a different password.
This is where the bug comes in. When registering an account with the same username as a previously deleted account, the new account gains access to all of the incoming private Direct Messages sent to the deleted account. This is a major privacy risk for everyone who has had interactions through private Direct Messages with other people and consequently deleted their account. Any malicious user can now register a new account using any password and gain access to that person's incoming DMs.
To emphasize the risk, consider the following scenario: Alice is a popular person, and has an account named "Alice@pleroma.example". She exchanges private messages with Bob using Direct Messages, so only Alice and Bob can read the messages (ignoring admins). Alice decides to delete her account, and her outgoing posts are now deleted. However, Bob's messages to Alice are not deleted. Now, a malicious user, Chuck, can make a new account named "Alice@pleroma.example" using a different password, and he gains access to all of the private messages ever sent to Alice, therefore breaching the privacy of both Alice and Bob (and anyone else who has ever sent DMs to Alice). This reveals a lot about Alice as well as all of her social contacts. Chuck now knows all of Alice's social contacts, and gains detailed information about their communications.
This is a major privacy and security concern, since Chuck can be anyone. As such, this bug should be fixed as soon as possible. I have also marked this issue as confidential in order not to put too many people at risk until it is fixed. However, I would also like to know when this bug is expected to be fixed so that I can inform people of the danger.
How to reproduce
- Take an account with Direct Messages sent to and from the account.
- Delete the account. Now, all outgoing messages of the account are removed, but the Direct Messages sent to the account still remain on the server.
- Make a new account with the same username. The password can be different. Now, under "Direct Messages" as well as under "Timeline", you can see all of the incoming private DMs sent to the old account.
Note: this affects any type of mention of the old account name, not just mentions set to "Private". This has privacy implications of its own, but for the "private" messages, this threat is most severe.