Zulip Server Private Channel Name Leak Vulnerability via Inactive Status Notifications

A vulnerability in Zulip Server's channel activity management can lead to unintended exposure of private channel names. The issue arises from a cron job that marks channels as 'inactive' after 180 days of inactivity. When this happens, an event is sent to all users in the organization, not just those subscribed to the channel, leaking the name of the private channel. Additionally, the same update process can inadvertently disclose private channel names to all organization users when a message is sent to a channel that has been inactive for over 180 days. This vulnerability exists in the 'main' branch and was not included in any released versions.

Impact

Exploitation of this vulnerability results in the unintentional disclosure of private channel names to all users in the organization, rather than just to channel subscribers.

Reproduction

1. In Zulip Server, create a private channel and ensure it has no activity for over 180 days. 2. The weekly cron job will automatically mark the channel as 'inactive' and send a notification to all users in the organization, leaking the channel name. 3. To reproduce the second part of the vulnerability, send a message to the private channel after it has been inactive for over 180 days. This will trigger an event that also leaks the channel name to all organization users.

Remediation

Users can update to Zulip Server version 10.0-dev at commit 75be449d456d29fef27e9d1828bafa30174284b4, where this vulnerability has been fixed.