Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Risk: Loading external images #36

Open
parvez opened this issue Feb 9, 2021 · 1 comment
Open

Security Risk: Loading external images #36

parvez opened this issue Feb 9, 2021 · 1 comment
Assignees
@jcoffland @ReadyPlayerEmma
Labels
Back End bug Something isn't working

Comments

@parvez
Copy link
Collaborator

parvez commented Feb 9, 2021

rendering the logos from the team urls is a security risk. is there any way the backend could store the logos instead of saving the urls? another option is we could save the base64 of the images instead of logo url.

Images are not innocent, and are very dangerous, take a look on this article: "Stegosploit hides malicious code in images, this is the future of online attacks".
http://securityaffairs.co/wordpress/37302/hacking/stegosploit-malware-images.html

There is also the issue of leaking the IPs and browser details of everyone who visits the page, with everyone who has a logo going to their own server.
@parvez parvez added bug Something isn't working Back End labels Feb 9, 2021
@ReadyPlayerEmma
Copy link
Contributor

I've made @jcoffland aware of this and we discussed a solution. That will be supported and migrated to in a future update to the API.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jcoffland jcoffland

@ReadyPlayerEmma ReadyPlayerEmma

Labels
Back End bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@parvez @jcoffland @ReadyPlayerEmma