threema-web
threema-web copied to clipboard
threema-ch
Contacts ID is revealed in the URL
Expected Behavior
I expect a contacts ID not to be part of the URL.
Current Behavior
In my opinion there is no need to have your contact's ID in the URL (https://web.threema.ch/#!/messenger/conversation/contact/ABCDE1234) since the URL is rewritten to https://web.threema.ch/#!/welcome when you open a new threema web tab. The inclusion of messenger/conversation/contact/ABCDE1234 is therefore not needed. This compromises users privacy because it is an unnecessary indicator of whom you contacted is persisted in your browsing history.
Possible Solution
The Contacts ID should be stored within the javascript and therefore would not appear in the URL bar and not be pushed to history.
Your Environment
- Threema Web version: 2.1.7
- Browser name and version: Firefox 66.0.2
Agree that it can be a leak depending on how one uses the browser.
However, an ID (not necessarily the Threema ID) is definitely required to keep track of the view state. Using the Threema ID for that does make sense in order to provide context.
One idea to fix this is to hash the Threema ID with a salt that is being predetermined by the app (or randomly generated for the session by the web client). This would keep the 1:1 mapping but not disclose any privacy relevant data.
Maybe I'm wrong here, but is not writing the full URL in the browser's address bar optional in a SPA?
Maybe I'm wrong here, but is not writing the full URL in the browser's address bar optional in a SPA?
Yes, that should be possible with pushState.
Turns out having no URL path at all can be enabled very easily, but it seems that browser navigation is broken by that: https://stackoverflow.com/questions/56933513/angular-ui-router-states-without-url-but-with-working-back-navigation
but it seems that browser navigation is broken by that
Is that any problem for this SPA? The browser navigation (go back/forward) does not work really work WITHIN the SPA anyway.