The getReadReceipts
Meteor server method does not properly filter user inputs that are passed to MongoDB queries, allowing $regex
queries to enumerate arbitrary Message IDs.
Authenticated users are able to query the getReadReceipts
Meteor server method to enumerate existing Message IDs:
Meteor.call("getReadReceipts", {
messageId: { $regex: ".*" }
}, (...args) => console.log(...args));
When guessing individual characters of a message in the $regex MongoDB query of the messageId parameter, the server will respond with an error in case a message does not exist and return an (empty) list in case it does.
(Add details for how we can reproduce the issue)
getReadReceipts
with $regexAn Adversary can enumerate existing Message IDs on the server with Regular Expression pattern matching.
Fixed in versions 4.7.5, 4.8.2 and 5.0.0