|
| 1 | +# MSC4263: Preventing MXID enumeration via key queries |
| 2 | + |
| 3 | +The client-server API allows searching users and querying their profiles via |
| 4 | +[`/_matrix/client/v3/user_directory/search`] and |
| 5 | +[`/_matrix/client/v3/profile/{userId}`], respectively. Both of these APIs can |
| 6 | +among others be abused to enumerate MXIDs. Servers are, therefore, only required |
| 7 | +to return results for users who either share a room with the requesting user or |
| 8 | +are a member of a public room known to the server. In all other cases, |
| 9 | +homeservers can respond with 403 or simply omit the user from the response. |
| 10 | + |
| 11 | +Similarly, on the server-server API, servers are generally permitted to deny |
| 12 | +requests to [`/_matrix/federation/v1/query/profile`] with 403. |
| 13 | + |
| 14 | +The [`/_matrix/client/v3/keys/query`] and |
| 15 | +[`/_matrix/federation/v1/user/keys/query`] endpoints have a similar problem but |
| 16 | +do not currently permit server admins to restrict their responses to conceal |
| 17 | +users. |
| 18 | + |
| 19 | +This proposal carries the behaviour of the user directory and profile APIs over |
| 20 | +to the key query APIs. |
| 21 | + |
| 22 | +## Proposal |
| 23 | + |
| 24 | +When processing [`/_matrix/client/v3/keys/query`] requests, homeservers MUST at |
| 25 | +a minimum consider users who share a room with the requesting user or are a |
| 26 | +member of a public room. This is regardless of the concrete membership value of |
| 27 | +the queried users in those room. |
| 28 | + |
| 29 | +In all other cases, homeservers MAY ignore the queried MXIDs and omit them from |
| 30 | +the response. |
| 31 | + |
| 32 | +Servers MAY deny key queries over federation by responding with 403 and an error |
| 33 | +code of `M_FORBIDDEN` on [`/_matrix/federation/v1/user/keys/query`]. |
| 34 | + |
| 35 | +## Potential issues |
| 36 | + |
| 37 | +None. |
| 38 | + |
| 39 | +## Alternatives |
| 40 | + |
| 41 | +None. |
| 42 | + |
| 43 | +## Security considerations |
| 44 | + |
| 45 | +None. |
| 46 | + |
| 47 | +## Unstable prefix |
| 48 | + |
| 49 | +None. |
| 50 | + |
| 51 | +## Dependencies |
| 52 | + |
| 53 | +None. |
| 54 | + |
| 55 | + [`/_matrix/client/v3/user_directory/search`]: https://spec.matrix.org/v1.13/client-server-api/#post_matrixclientv3user_directorysearch |
| 56 | + [`/_matrix/client/v3/profile/{userId}`]: https://spec.matrix.org/v1.13/client-server-api/#get_matrixclientv3profileuserid |
| 57 | + [`/_matrix/federation/v1/query/profile`]: https://spec.matrix.org/v1.13/server-server-api/#get_matrixfederationv1queryprofile |
| 58 | + [`/_matrix/client/v3/keys/query`]: https://spec.matrix.org/v1.13/client-server-api/#post_matrixclientv3keysquery |
| 59 | + [`/_matrix/federation/v1/user/keys/query`]: https://spec.matrix.org/v1.13/server-server-api/#post_matrixfederationv1userkeysquery |
0 commit comments