Remind Platform CDN misconfiguration

I stumbled into this issue since one of my kid’s teacher uses Remind. The issue is any pictures posted on Remind is publicly accessible from Cloudflare CDN. I have notified Remind’s Security Team of the issue.

Here is an example of a picture that my son’s teacher posted to Remind that can be accessed by anyone:

https://dega2pc35ccak.cloudfront.net/images/3902704a-6918-4048-a1d0-92224946ddcf/image_attachment.jpg

Below are the steps to reproduce the issue:

  1. Login to remind.com.
  2. Click on a class in the “Classes Joined” group.
  3. Click on the “Files” tab.
  4. Move mouse to an image entry.
  5. Click “View” the image with the message opens.
  6. Click on “Open”.
  7. Observe the URL similar to the one above.
  8. In a separate computer that is not logged in to remind.com navigate to the URL in step 7
  9. Observe that the image is viewable without being prompted to login to remind.com

Why is this an issue: Remind is geared for schools, among others, for teachers/facilitators to communicate, or share pictures, with parents. Their documentation emphasises the privacy of communication and files posted through their site. However, making pictures (I assume this would work with any files) attached by a teacher to a Remind message publicly available could be a violation of school policy. Placing the teacher unexpectedly at risk, or worst.

On Nov 28, 2018 Dave Lyons from Remind that “This is intended behaviour, unfortunately due to inherent restrictions in sending out messages to unauthenticated SMS-only users. (They have no ‘login’)”. Although I agree that by current technology UUIDs are difficult to enumerate through; however, this is still security by obscuration. It will only be a matter of time before it would be technologically feasible to enumerate through UUIDs that will make the pictures relatively current.

Timeline

2018-10-11: Email sent to security-at-remindhq.com per their security policy

2018-11-27: Contacted Remind via social media for info on how to reach their security team after not receiving any response to the initial email.

2018-11-28: Received response from security team that this is intended behavior to support users that are only receiving notification via SMS and do not have an account.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.