This client metadata of all users was exposed in the GET /users/list-clients endpoint:
- id: Id of the device (public by design)
- class: Class of the device, could be desktop, mobile or legalhold (public by design)
- type: Type of the device, could be permanent, temporary or legalhold
- location: Coarse location of the device when it was registered (inferred from IP address)
- time: Time of registration of the device
- cookie: Label of the cookie, used to revoke cookies
The endpoint could be used by any logged in user who could request client details of any other user (no connection required) as far as they can find their User ID.
Impact
A user on a Wire backend could use this endpoint to find registration time and location for each device for a given list of users.
Patches
Fixed in https://github.com/wireapp/wire-server/releases/tag/v2021-03-02
Workarounds
Remove /list-clients from nginx config.
References
N/A
This client metadata of all users was exposed in the
GET /users/list-clientsendpoint:The endpoint could be used by any logged in user who could request client details of any other user (no connection required) as far as they can find their User ID.
Impact
A user on a Wire backend could use this endpoint to find registration time and location for each device for a given list of users.
Patches
Fixed in https://github.com/wireapp/wire-server/releases/tag/v2021-03-02
Workarounds
Remove
/list-clientsfrom nginx config.References
N/A