A vulnerability in the Gitter desktop application resulted in an inadvertent leak of your Gitter tokens. This affects v2 and v3 of the Gitter desktop app which we officially distribute for Windows and Linux. This only affects macOS if you manually downloaded v2/v3 (we distribute v1.177 on https://gitter.im/apps).
Thanks to Dale Higgs for responsibly disclosing this vulnerability to us.
Your tokens have already been revoked and rotated. If you want to continue using the desktop app, please download the latest Gitter Desktop v4 app, https://gitter.im/apps
We have not received any reports of unauthorized activity and have no further evidence of misuse; however, due the nature of the leak, we have no definitive way to attribute additional activity to leaked tokens.
In terms of exposure, someone with your Gitter token can do anything you normally do on Gitter such as sending or deleting messages. If you added GitHub private repo scope, Gitter only allows read-only access to those repositories.
We've released v4 of the desktop app for Windows/Linux which fixes the leak. The recommended macOS v1.177 desktop client is not affected. For the few users that have manually downloaded v3 for macOS, v4 is available for macOS.
In order to mitigate the impact on affected users, user-agents associated with Desktop v2/v3 apps have been revoked, which means users of those application versions will be forced to upgrade to a newer version of the software. We have also revoked desktop OAuth clients/tokens and rotated all personal access tokens because you may have used them to manually authorize in the desktop app.
If you need a new personal access token to access the API, visit https://developer.gitter.im/apps
Exact details of the leak will be made public in this blog post next week, following the completion of corrective actions. Update 2018-6-18: exploit details below
We apologize for this incident, and the inconvenience that occurred.
If you have further questions, you can stop by https://gitter.im/gitterHQ/gitter or email firstname.lastname@example.org
The problem stems from passing around the token in the user-agent which is available to any request in the desktop client. This meant that if someone posted an image from their own server, they could log the user-agent which included the token.
This bug existed for over 3 years even before the desktop app was even open-sourced (March 2015).
frame.nwUserAgent = navigator.userAgent + ' Gitter/' + version + ' Gitter Token/' + settings.token;
In desktop v4, we have switched to adding the standard
Authorization: Bearer xxx header to all Gitter requests. These headers are request specific so they don’t leak to 3rd parties.