stream-chat-react-native icon indicating copy to clipboard operation
stream-chat-react-native copied to clipboard
verified publisher icon GetStream

[🔥] Security Issue - If I delete memberId from network requests, I can see all channels

Open ertucaglar opened this issue 7 months ago • 0 comments

Issue

We are making a Zoom integration on our application. After a long time, we could not pass the security checks. The main issue we experienced was that during Zoom security reviews, if we manipulate Stream.io's API requests, the user can also access other channel information. When we checked this issue ourselves, we saw that when we removed the user_id in the request params and the filters in the request body, we can see other channels in the account.

This is not an action that the end user can do, but Zoom considers this as a security vulnerability and does not approve our application for Zoom Marketplace.

First, we examined the roles & permissions settings, we could not find a role that would provide this result.

Can you help us, how can we fix this issue?

Steps to reproduce

Steps to reproduce the behavior:

  1. Monitor application requests with a tool like Proxyman
  2. Clear the filters in the request body of the https://chat.stream-io-api.com/channels request, I've added a request body below for an example.
  3. When you run the request, you can see the channels, some channels belong to the user, some channels do not belong to the user.
// request url
https://chat.stream-io-api.com/channels?user_id=XXXXX&connection_id=XXXXXX&api_key=XXXXX

// request body
// In the request below, when you delete the **filter_conditions.members** object, you can access all channels.
{
    "filter_conditions": {
        "type": "messaging",
        "members": {
            "$in": [
                "XXXXXX"
            ]
        },
        "frozen": false,
        "$or": [
            {
                "hidden": false
            }
        ]
    },
    "sort": [
        {
            "field": "last_message_at",
            "direction": -1
        }
    ],
    "state": true,
    "watch": true,
    "presence": true,
    "limit": 30,
    "offset": 0
}

Expected behavior

When I delete the user parameters in the request, the API should actually give an error or the channel should not return at all.

Project Related Information

Customization

Click To Expand 

# N/A

Offline support

  • [ ] I have enabled offline support.
  • [ ] The feature I'm having does not occur when offline support is disabled. (stripe out if not applicable)

Environment

Click To Expand

package.json:

# N/A

react-native info output:

 OUTPUT GOES HERE
  • Platform that you're experiencing the issue on:
    • [X] iOS
    • [X] Android
    • [ ] iOS but have not tested behavior on Android
    • [ ] Android but have not tested behavior on iOS
    • [ ] Both
  • stream-chat-react-native version you're using that has this issue:
    • e.g. 5.4.3
  • Device/Emulator info:
    • [ ] I am using a physical device
    • OS version: e.g. Android 10
    • Device/Emulator: e.g. iPhone 11

Additional context

Screenshots

Click To Expand

Image

Image

ertucaglar avatar Jun 08 '25 14:06 ertucaglar