Rocket.Chat: Message ID Enumeration with Regular Expression in getReadReceipts Meteor method

Summary

The getReadReceipts Meteor server method does not properly filter user inputs that are passed to MongoDB queries, allowing $regex queries to enumerate arbitrary Message IDs.

Description

Authenticated users are able to query the getReadReceipts Meteor server method to enumerate existing Message IDs:

Meteor.call("getReadReceipts", {
  messageId: { $regex: ".*" }
}, (...args) => console.log(...args));

When guessing individual characters of a message in the $regex MongoDB query of the messageId parameter, the server will respond with an error in case a message does not exist and return an (empty) list in case it does.

Releases Affected:

• 3.18.2
• 4.0.3

Steps To Reproduce (from initial installation to vulnerability):

(Add details for how we can reproduce the issue)

1. Login to Rocket.Chat as any authenticated user
2. Query getReadReceipts with $regex
3. Repeat step 2 until the full Message ID was found

Supporting Material/References:

• imports/message-read-receipt/server/api/methods/getReadReceipts.js

Suggested mitigation

• Filter messageId parameter of the Meteor method

Impact

An Adversary can enumerate existing Message IDs on the server with Regular Expression pattern matching.

Fix

Fixed in versions 4.7.5, 4.8.2 and 5.0.0