I stumbled into this issue since one of my kid’s teacher uses Remind. The issue is any pictures posted on Remind is publicly accessible from Cloudflare CDN. I have notified Remind’s Security Team of the issue.
Here is an example of a picture that my son’s teacher posted to Remind that can be accessed by anyone:
Below are the steps to reproduce the issue:
- Login to remind.com.
- Click on a class in the “Classes Joined” group.
- Click on the “Files” tab.
- Move mouse to an image entry.
- Click “View” the image with the message opens.
- Click on “Open”.
- Observe the URL similar to the one above.
- In a separate computer that is not logged in to remind.com navigate to the URL in step 7
- Observe that the image is viewable without being prompted to login to remind.com
Why is this an issue: Remind is geared for schools, among others, for teachers/facilitators to communicate, or share pictures, with parents. Their documentation emphasises the privacy of communication and files posted through their site. However, making pictures (I assume this would work with any files) attached by a teacher to a Remind message publicly available could be a violation of school policy. Placing the teacher unexpectedly at risk, or worst.
On Nov 28, 2018 Dave Lyons from Remind that “This is intended behaviour, unfortunately due to inherent restrictions in sending out messages to unauthenticated SMS-only users. (They have no ‘login’)”. Although I agree that by current technology UUIDs are difficult to enumerate through; however, this is still security by obscuration. It will only be a matter of time before it would be technologically feasible to enumerate through UUIDs that will make the pictures relatively current.
2018-10-11: Email sent to security-at-remindhq.com per their security policy
2018-11-27: Contacted Remind via social media for info on how to reach their security team after not receiving any response to the initial email.
2018-11-28: Received response from security team that this is intended behavior to support users that are only receiving notification via SMS and do not have an account.