You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The install script for self-hosting plane (https://prime.plane.so/install/) is leaking the hosts machine-id as part of a header that is send to the download server (S3):
This ID uniquely identifies the host. It should be considered "confidential", and must not be exposed in untrusted environments, in particular on the network. If a stable unique identifier that is tied to the machine is needed for some application, the machine ID or any part of it must not be used directly. Instead the machine ID should be hashed with a cryptographic, keyed hash function, using a fixed, application-specific key. [...]
So if there's really a need to track individual downloads, it should be done in a way that does not leak the machine-id. The freedesktop docs have proposals for this. I personally wouldn't classify this as a vulnerability directly, but it should clearly be fixed.
Steps to reproduce
Have a look at what the install script actually does
Environment
Production
Browser
None
Variant
Self-hosted
Version
any
The text was updated successfully, but these errors were encountered:
Is there an existing issue for this?
Current behavior
The install script for self-hosting plane (https://prime.plane.so/install/) is leaking the hosts
machine-id
as part of a header that is send to the download server (S3):This is probably done for tracking how many unique hosts download the installer, which is a bit weird but okay.
The problem is that the
machine-id
is considered confidential according to the freedesktop docs:So if there's really a need to track individual downloads, it should be done in a way that does not leak the machine-id. The freedesktop docs have proposals for this. I personally wouldn't classify this as a vulnerability directly, but it should clearly be fixed.
Steps to reproduce
Environment
Production
Browser
None
Variant
Self-hosted
Version
any
The text was updated successfully, but these errors were encountered: