[bug]: plane install script leaks the hosts machine-id

[markus-k]

Is there an existing issue for this?

• [X] I have searched the existing issues

Current behavior

The install script for self-hosting plane (https://prime.plane.so/install/) is leaking the hosts machine-id as part of a header that is send to the download server (S3):

get_machine_id() {
  if [ -f /etc/machine-id ]; then
    cat /etc/machine-id
  elif [ -f /var/lib/dbus/machine-id ]; then
    cat /var/lib/dbus/machine-id
  else
    echo ""
  fi
}
# ...
MACHINE_ID=$(get_machine_id)
# ...
curl -sL -H "x-machine-signature: ${MACHINE_ID}" # ...

This is probably done for tracking how many unique hosts download the installer, which is a bit weird but okay.

The problem is that the machine-id is considered confidential according to the freedesktop docs:

This ID uniquely identifies the host. It should be considered "confidential", and must not be exposed in untrusted environments, in particular on the network. If a stable unique identifier that is tied to the machine is needed for some application, the machine ID or any part of it must not be used directly. Instead the machine ID should be hashed with a cryptographic, keyed hash function, using a fixed, application-specific key. [...]

So if there's really a need to track individual downloads, it should be done in a way that does not leak the machine-id. The freedesktop docs have proposals for this. I personally wouldn't classify this as a vulnerability directly, but it should clearly be fixed.

Steps to reproduce

1. Have a look at what the install script actually does

Environment

Production

Browser

None

Variant

Self-hosted

Version

any

[IceflowRE]

This is not only a bug but probably also a privacy violation in the EU, as it does not ask for consent or informs beforehand.