Turms IM Server Broken Access Control Vulnerability in User Online Status Query

A broken access control vulnerability has been identified in Turms IM Server versions through v0.10.0-SNAPSHOT. The issue resides in the user online status query functionality, specifically within the handleQueryUserOnlineStatusesRequest() method of UserServiceController.java. This vulnerability allows any authenticated user to query the online status, device information, and login timestamps of other users without proper authorization checks. The absence of access control has been acknowledged by the development team, but no fix has been implemented yet.

Impact

Exploitation of this vulnerability leads to unauthorized disclosure of users' online statuses, device information, and login patterns. This privacy violation enables tracking and profiling of specific users, potentially facilitating social engineering attacks.

Reproduction

To reproduce this vulnerability, authenticate as any valid user and send a QUERY_USER_ONLINE_STATUSES_REQUEST with arbitrary target user IDs. The request can be made using the Turms client or a raw protobuf request. Upon successful exploitation, the online status information of the queried users will be received, including details such as their device type, login timestamp, and user session information.

Remediation

The Turms development team has not yet fixed this vulnerability, but it is recommended to implement relationship-based access control, add configuration options for online status visibility, enforce rate limiting, and include audit logging for online status queries.