Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MetaData leaks #3

Open
ligi opened this issue Jul 31, 2023 · 2 comments
Open

MetaData leaks #3

ligi opened this issue Jul 31, 2023 · 2 comments

Comments

@ligi
Copy link

ligi commented Jul 31, 2023
edited
Loading

A huge problem when publishing documents in the context of whistleblowing are metadata leaks. It seems currently the documents are directly fully published - without anyone taking care of protecting the whistleblower. The submission is only one of the deanonymization vectors. This is dangerous - especially as there is nothing like that indicting it on your website:

image

There it looks as it is safe and private to submit documents. You state: "Zikileaks helps advocates get sensitive documents published without fear."
I urge you to add a warning - this can cost life in the worst case.
And this is without a look in the source code - because this problem exists even with perfect code. And I guess as this is a hackathon project done in a haste - there are other problems hidden. And seeing that it is deployed on vercel instead of an onion service makes this feeling even stronger.
Also it is counter-productive to just publish the documents directly. This removes the incentive of journalists to look into it in the current system. And without journalists doing the next step after publishing - the publishing will very likely have no effect (other than endangering the whistleblower)
Please look into the works of previous whistleblowing projects before "improving" it. E.g. watch https://media.ccc.de/v/25c3-2916-en-wikileaks / https://media.ccc.de/v/26c3-3567-en-wikileaks_release_10 )
@mattiapomelli
Copy link
Owner

Hey, ligi. Thanks for the feedback. This indeed was a hackathon project we built in <48 hours. There are for sure many improvements that can be made and we admittedly aren't experts in the field of helping whistleblowers. We didn't intend the project to be used IRL (it would need auditing and to not be on Vercel to say the least haha). We thought it was pretty obvious it was just a hackathon project but can add a disclaimer. We completely understand your feedback and appreciate your time digging into what we build. Thank you!

@ligi
Copy link
Author

ligi commented Jul 31, 2023

Thanks for adding the disclaimer - from the website it is unfortunately not obvious it is a hackathon project - not even a hint anywhere.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ligi @mattiapomelli