You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, the RemoteContact.get interface strongly restricts the values returned using profiles. However, the query values are currently not restricted, meaning that you could leak more information about the contacts other properties, by running continuous queries with different values.
For example, if you wanted to hide a contact's gender from the remote user, that user could currently run the same query multiple times, submitting a different gender_id each time, and therefore extract the contacts' gender IDs after all.
This aspect should also be controlled/filtered by the profiles, and by default be restricted to the return fields.
The text was updated successfully, but these errors were encountered:
Currently, the
RemoteContact.get
interface strongly restricts the values returned using profiles. However, the query values are currently not restricted, meaning that you could leak more information about the contacts other properties, by running continuous queries with different values.For example, if you wanted to hide a contact's gender from the remote user, that user could currently run the same query multiple times, submitting a different
gender_id
each time, and therefore extract the contacts' gender IDs after all.This aspect should also be controlled/filtered by the profiles, and by default be restricted to the return fields.
The text was updated successfully, but these errors were encountered: