ParticleJS getEventStream showing **everything**

Is this supposed to return everyone’s event data? I would expect only to see my own data, not the data of everyone using the Particle Cloud for events.

I don’t see any super interesting data in here, it just feels like I’m seeing things I’m not supposed to see.

I’m using the first of the three getEventStream examples in this file: https://github.com/spark/sparkjs/blob/master/examples/client/event_demo.html

To be fair, the comment above it kinda says the following:

//Get all events

It could be just me, but ‘all events’ kinda does sound like ‘all events’ :wink:

If you’re only interested in your own data, you might want to look ito the second example, which says the following:

//Get your devices events

Which gives me the impression that it’ll return the events from your devices, rather than all devices.

2 Likes

It doesn’t kinda say that, it exactly says that. I’m not stupid. I know what the comments say.

Seems like a security issue to me if I’m able to see events that aren’t mine, doesn’t it?

What is the point of an access token if I’m able to use any valid access token to see everyone else’s stuff?

What is the point of encrypting data between a Core or Photon and the Particle Cloud if anyone can just see that data anyway?

I’m not implying that you are :scream:!
Public data does have its uses. Think of data collection organisations (I mean the good ones, not the NSA etc…). Projects in which the community can help gather environmental data can benefit from this information. Also, the cheerlights project is a fun example of what ‘public data’ can do :smile:

Okay, so here’s the thing with these SSEs. They’re sort of ‘tweets for machines’, if you’re familiar with twitter. You can choose to broadcast them publicly, or keep them private. What you choose is up to you. How to do that, is in the docs over here: https://docs.particle.io/reference/firmware/photon/#spark-publish-
You can set ‘public/private’, depending on your personal preference.

Nope. If you decide to scream your bank credentials in the middle of the street, don’t expect nobody to hear them, just because they’re yours. The same goes for twitter. Should you choose to disclose private information publicly, then there’s a good chance other people will see it.
If you don’t want people to see it, use a Private message. Much like on the forums here, I don’t need an account (accesstoken) to be able to view this conversation. I won’t be able to see personal messages without the proper credentials though. The same is true for SSEs.

Well, you can’t. You can see everyone else’s public stuff. The fact that you need an accesstoken to see that is just ‘accidential security’ I guess. It’s like asking people to sign up for twitter before being able to see any tweets. Personal stuff is still personal.

Well, again, they can’t. You’re not seeing personal information. You’re seeing public information. Besides, the communication between the device/cloud is never ‘breached’ since a SSE is being send from the cloud. Your device just tells the cloud what to broadcast on behalf of it. You subscribe to that stream of information, not somewhere in between.

Hopefully that clarified some points. If not, let me know :smile:

It did. Particle cloud is by default insecure.

I have no business seeing anyone else’s data, public or not, unless they opt to provide a way for me to see it, and no one else has any business seeing my data, whether or not it’s personal data.

What I tried (and failed) to say there, is: in my insignificant opinion, event data should be private by default, not public.

Additionally, ParticleJS has no mechanism (that I can find) to make an event private, unless you encode that into the data field of the publishEvent method, which I don’t see documentation on.

When publishing from a device it is trivial to make the data private.

See the Spark.publish() documentation

Spark.publish(String eventName, String data, int ttl, PRIVATE);

The default is public, but it is trivial to make your published data private.

It could be that I misunderstand your issue, since you talk about ParticleJS; and I’m speaking to events published from cores/photons/electrons.

1 Like

Initially, I did not make the distinction between public and private events. I assumed that all events were shown. As @Moors7 pointed out, the comment does say “get all events.”

Now, I guess, I’m griping that I cannot publish a private event from ParticleJS and that they’re not just private by default.

It seems to me that ParticleJS should have feature parity with firmware running on physical devices.

I’ll let Particle folk chime in on whether the difference is an oversight or an intentional decision (and hence why.)

Hi @naikrovek,

Thanks for the great discussion here! and thank you for reporting! We take all security concerns very seriously, and I appreciate you taking the time to report your concerns. If you ever see something that you feel is a security issue, please feel free to ping me privately first here on the forums, or email us at hello@particle.io

It looks like the publishEvent function in Spark-JS / Particle-JS is missing the private parameter. You can add this yourself if you want, but I’ll open an issue in the meantime:

/* if you wanted to fix it locally in the meantime */
SparkApi.prototype.publishEvent = function (eventName, data, accessToken, callback) {
  this.request({
    uri: this.baseUrl + '/v1/devices/events',
    method: 'POST',
    form: {
      name: eventName,
      data: data,
      access_token: accessToken
      //add this line below
      ,private: true
    },
    json: true
  }, callback);
};

I realize this part may be redundant, but here’s all the info in one place:

In this case, yes, you’re seeing the public event firehose. This is somewhat similar to the “Twitter firehose of public tweets” and other similar streams. Publicly published events appear in the public firehose, and only your accounts private events will appear in your own feeds. The API endpoints also correspond to the various privilege levels:

/v1/events -> public firehose
/v1/events/some_filter -> filtered public firehose
/v1/devices/events -> your events from your devices
/v1/devices/some_device/events -> events from that device

You can prevent your events from showing in the public firehose by publishing them privately. For example:

Spark.publish("front-door-unlocked", PRIVATE);
Spark.publish("front-door-unlocked", "Steve unlocked the door", 60, PRIVATE);

Thanks!
David

2 Likes

Thank you. Sorry for the initial abrasiveness, I get a bit agitated when I see things that I believe to be privacy concerns. I was wrong about what I was seeing, and I am now corrected, and I apologize.

I will add that to my own sparkjs code, and if I can find time soon I will do what I can to update sparkjs to include the parameter. I do not know this code well, yet, at all, so I might not succeed. I don’t know.

Thank you for the discussion, corrections, and assistance, everyone.

2 Likes

No Worries! I take any and all reports of any security concerns very seriously, I hope you continue to report any potential issues you see. :slight_smile:

Thanks,
David

1 Like

@Dave

Hi David,

Not trying to hijack this thread, I feel it’s relevant to the discussion:

When I subscribe to my events, how do I distinguish public from private ones? I can I verify that I didn’t accidentally publicize it?

One cumbersome way I can think of is to log in to a different Particle account and see if I notice the events, but is that data somehow already in the existing stream?

Here’s one of mine:
{"name":"thousand","data":"1000 events","ttl":"60","published_at":"2015-09-03T16:14:18.958Z","coreid":"280048000747343339373536"}

I don’t see an indicator here telling me it was public.

Sauce

1 Like

Hi @Sauce,

Ooh, interesting. That sounds like it would be useful for testing, I’ll add that to my backlog and reply back here when I’ve added something to address that. :slight_smile:

Thanks,
David