Zulip Cloud, Security

Data exported by Zulip Cloud organization administrators contained private files

Alex Vandiver 2 min read

Administrators of Zulip Cloud organizations can export public data from their organization via the organization settings menu. The exports include all the data that appears in public streams, and can be used to migrate from Zulip Cloud to self-hosting Zulip. Note that exporting private data is a separate process that requires contacting Zulip support.

Due to a bug in the public export code, exports of public data contained all uploaded files, even those from private messages and private streams. This may have allowed organization owners or administrators to extract uploaded files that they were not otherwise allowed to access. The content of non-public messages was never included in public exports.

This bug has existed since the public export feature was implemented in August 2019. We have deleted all existing Zulip Cloud exports from our servers, and will be making changes to auto-expire all exports after 7 days in the future. This bug was fixed for self-hosted users in the Zulip Server 5.4 release.

We have notified by email all administrators and users in non-deactivated Zulip Cloud organizations who may have been impacted by this bug. As many organizations have never exported their data, most Zulip Cloud users were not affected.

We would like to thank Antoine Benoist for bringing this issue to our attention.