Security Bug: File Transfer Server Binds to All Interfaces, Exposing Transfers to LAN
Description
beamsync/server.go StartServer() creates an HTTP server that binds to
0.0.0.0 (all network interfaces) rather than 127.0.0.1 (loopback only).
BeamSync is designed for local device-to-device transfers, but binding to
all interfaces means the HTTP file transfer endpoint is reachable by any
device on the same WiFi or LAN network segment. A network peer who discovers
the port (via ARP scan or mDNS) can initiate a connection and download files
being transferred without the sender's knowledge.
Steps to Reproduce
- Start a BeamSync transfer on a device connected to a shared WiFi network.
- From another device on the same network, scan for open ports in the
3000-3098 range: nmap -p 3000-3098 <sender_ip>
- Connect to the discovered port:
curl http://<sender_ip>:<port>/file
- Observe the file being transferred is downloaded by the uninvited peer.
Root Cause
In beamsync/server.go, StartServer() calls http.ListenAndServe
with an address like ":3000" or "0.0.0.0:3000" instead of
"127.0.0.1:3000".
Impact
On any shared network (office WiFi, campus network, home network with
multiple users), transferred files are accessible to all LAN peers,
constituting a confidential data exposure vulnerability.
Proposed Fix
Bind to loopback by default and only bind to a wider address when
explicitly configured:
// beamsync/server.go
bindHost := "127.0.0.1"
if enableLAN := os.Getenv("BEAMSYNC_LAN_MODE"); enableLAN == "true" {
bindHost = "0.0.0.0"
}
addr := fmt.Sprintf("%s:%d", bindHost, port)
server := &http.Server{Addr: addr, Handler: mux}
Security Bug: File Transfer Server Binds to All Interfaces, Exposing Transfers to LAN
Description
beamsync/server.goStartServer()creates an HTTP server that binds to0.0.0.0(all network interfaces) rather than127.0.0.1(loopback only).BeamSync is designed for local device-to-device transfers, but binding to
all interfaces means the HTTP file transfer endpoint is reachable by any
device on the same WiFi or LAN network segment. A network peer who discovers
the port (via ARP scan or mDNS) can initiate a connection and download files
being transferred without the sender's knowledge.
Steps to Reproduce
3000-3098 range:
nmap -p 3000-3098 <sender_ip>curl http://<sender_ip>:<port>/fileRoot Cause
In
beamsync/server.go,StartServer()callshttp.ListenAndServewith an address like
":3000"or"0.0.0.0:3000"instead of"127.0.0.1:3000".Impact
On any shared network (office WiFi, campus network, home network with
multiple users), transferred files are accessible to all LAN peers,
constituting a confidential data exposure vulnerability.
Proposed Fix
Bind to loopback by default and only bind to a wider address when
explicitly configured: