Adding a member to a group leaks this information to all users.

Question

Adding a member to a group leaks this information to all users.

Closed this issue 10 months ago · 0 comments

      const grp = await skdb.createGroup();
      await grp.setMemberPermission(someUser, "r");

Results in

select * from skdb_group_permissions;
┌─────────┬───────────────────────────────┬───────────────────────────────┬─────────────┬──────────────┐
│ (index) │            groupID            │            userID             │ permissions │ skdb_access  │
├─────────┼───────────────────────────────┼───────────────────────────────┼─────────────┼──────────────┤
│    0    │ '3ZVVNSpKUkylYNO0ZIGm7Ey5oI1' │ 'fA96m2waGvUIAw-dyA9Z3I75IJC' │      4      │ 'read-write' │

The read-write permission means that all users can see that this user is in the group with permission 4. We should only be sharing this information with the user and group admins.

This info could be used to figure out e.g. a user's friend list or worse depending on the app.