Ensure that attachment has expected group ID when loading (!1347) · Merge requests · briar / briar

akwizgran requested to merge 1912-specify-group-id-when-loading-attachment into 214-user-avatars Jan 22, 2021

This branch makes two changes to prevent social engineering attacks in which the sender of a private message uses an attachment ID to test whether a certain message is present in the recipient's database.

The first commit prevents the first variant of the attack, in which the attachment ID points to a valid attachment in a different group (e.g. the profile picture of another user). If the recipient reveals to the sender whether an image was loaded then the attacker learns that the recipient has received the target message (e.g. is a contact of the user whose profile picture was the target).

The second commit prevents the second variant of the attack, in which the attachment ID points to a message in any group that isn't a valid attachment. If the recipient reveals to the sender whether the missing attachment placeholder was shown then the attacker learns whether the recipient has received the target message (the placeholder is shown if the message is missing from the DB, but not shown if the message is present but not a valid attachment).

Arguably the second commit is redundant because it's harmless for the sender to probe for messages in the same group as the sender's message. But preventing the AttachmentReader API from leaking any information about invalid attachments is probably sensible.

Closes #1912

Edited Jan 22, 2021 by akwizgran

Ensure that attachment has expected group ID when loading

Merge request reports