Username Visible in Download URL from Download Manager

Overview

In versions of TeleScope before 2019, the download URL, obtainable by inspecting web traffic through developer tools browsers offer, carried the username of the user downloading in the actorName parameter key in cleartext. This can present itself as a security vulnerability by leaking information about users who took the download action.

 

Solution

Please upgrade to the latest TeleScope release if you have a version of TeleScope installed that was released before 2019. If your TeleScope installation has customizations or you're an OnDemand customer, please contact your Account Manager or support for further assistance with upgrading.

 

Testing

The download URL in the fixed versions doesn't have parameter keys or their values in cleartext, but instead, the query string is encrypted and supplied as a value to parameter q. This can be verified by inspecting web traffic after initiating a download action.

Comments

0 comments

Please sign in to leave a comment.