Skip to content

Security: beamsync/server.go StartServer binds to 0.0.0.0, LAN peers intercept local transfers #101

Description

@anshul23102

Security Bug: File Transfer Server Binds to All Interfaces, Exposing Transfers to LAN

Description

beamsync/server.go StartServer() creates an HTTP server that binds to
0.0.0.0 (all network interfaces) rather than 127.0.0.1 (loopback only).
BeamSync is designed for local device-to-device transfers, but binding to
all interfaces means the HTTP file transfer endpoint is reachable by any
device on the same WiFi or LAN network segment. A network peer who discovers
the port (via ARP scan or mDNS) can initiate a connection and download files
being transferred without the sender's knowledge.

Steps to Reproduce

  1. Start a BeamSync transfer on a device connected to a shared WiFi network.
  2. From another device on the same network, scan for open ports in the
    3000-3098 range: nmap -p 3000-3098 <sender_ip>
  3. Connect to the discovered port: curl http://<sender_ip>:<port>/file
  4. Observe the file being transferred is downloaded by the uninvited peer.

Root Cause

In beamsync/server.go, StartServer() calls http.ListenAndServe
with an address like ":3000" or "0.0.0.0:3000" instead of
"127.0.0.1:3000".

Impact

On any shared network (office WiFi, campus network, home network with
multiple users), transferred files are accessible to all LAN peers,
constituting a confidential data exposure vulnerability.

Proposed Fix

Bind to loopback by default and only bind to a wider address when
explicitly configured:

// beamsync/server.go
bindHost := "127.0.0.1"
if enableLAN := os.Getenv("BEAMSYNC_LAN_MODE"); enableLAN == "true" {
    bindHost = "0.0.0.0"
}
addr := fmt.Sprintf("%s:%d", bindHost, port)
server := &http.Server{Addr: addr, Handler: mux}

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions