You can access Objects while app is locked

sambouwer · November 17, 2022, 12:53pm

WHAT IS THE BUG

You can access Object Search while app is locked. You cannot open the Object, but the titles might be enough data to leak already

Edit: this also works for Export (leaking all data while app is locked) and import (potentially importing an exploit).

HOW TO REPRODUCE IT

Open Anytype and wait for the app to ask for the pin
Locate the systray icon of Anytype and right click on it
Click “Search object”
See that you can see a list of recent Objects with the pin entry in the background

image766×686 39.2 KB

THE EXPECTED BEHAVIOR

You cannot use search while you are not “logged in” with your pin. Either hide the option in the context menu, or only show the pin and after verification show the search menu.

SYSTEM INFORMATIONS

OS:
Windows 11
Device:
Dell XPS 15
Anytype Version:
0.29.1

Razor · November 21, 2022, 9:13am

Sure, add to the tracker pls.

Angelo · November 21, 2022, 8:07pm

This report has been added to our issue tracker and received by the Development Team.

Razor · November 23, 2022, 2:23pm

I’ve just removed the ability to open search from tray when pin is locked, so nothing happens when pin is locked right now. Making popup show after you have entered pin is too much effort for closing this hole imo.

Angelo · November 30, 2022, 9:12am

This issue has been fixed by the Development Team and will be included in an upcoming release.

Angelo · December 2, 2022, 8:35am

This issue has been fixed by the Development Team and will be included in an upcoming release.

Flip · January 19, 2023, 5:48pm

This has been fixed in the latest release (0.30.0)

Flip · February 2, 2023, 5:48pm

This topic was automatically closed after 13 days. New replies are no longer allowed.