Description
Is there an existing issue for this?
- I have searched the existing issues
Current behavior
The install script for self-hosting plane (https://prime.plane.so/install/) is leaking the hosts machine-id as part of a header that is send to the download server (S3):
get_machine_id() {
if [ -f /etc/machine-id ]; then
cat /etc/machine-id
elif [ -f /var/lib/dbus/machine-id ]; then
cat /var/lib/dbus/machine-id
else
echo ""
fi
}
# ...
MACHINE_ID=$(get_machine_id)
# ...
curl -sL -H "x-machine-signature: ${MACHINE_ID}" # ...This is probably done for tracking how many unique hosts download the installer, which is a bit weird but okay.
The problem is that the machine-id is considered confidential according to the freedesktop docs:
This ID uniquely identifies the host. It should be considered "confidential", and must not be exposed in untrusted environments, in particular on the network. If a stable unique identifier that is tied to the machine is needed for some application, the machine ID or any part of it must not be used directly. Instead the machine ID should be hashed with a cryptographic, keyed hash function, using a fixed, application-specific key. [...]
So if there's really a need to track individual downloads, it should be done in a way that does not leak the machine-id. The freedesktop docs have proposals for this. I personally wouldn't classify this as a vulnerability directly, but it should clearly be fixed.
Steps to reproduce
- Have a look at what the install script actually does
Environment
Production
Browser
None
Variant
Self-hosted
Version
any