Im a bit frustrated with this. I say this as a big fan of tailscale, having promoted them in various places.
Granted, you cant enumerate the ids, but neglecting permissions when adding a node seems like a really stupid oversight.
May I suggest that Tailscale spend some time to double-check that they are applying access control where applicable throughout all aspects of the application.
I appreciate the feedback on this vulnerability, and will continue to be a happy user - but please check that these oversights dont exist elsewhere.
Nobody in this industry consciously neglects authorisation, especially not startups building security solutions. This sort of stuff sometimes just happens, and the root cause always eventually boils down "we are humans and it is a human thnig to make mistakes". They have displayed fantastic response time and transparency on the issue, had the infrastructure in place to assess the impact, credited the reporter, hang out on HN to answer questions...
If anything, this kind of response builds my confidence and trust in them.
Granted, you cant enumerate the ids, but neglecting permissions when adding a node seems like a really stupid oversight.
May I suggest that Tailscale spend some time to double-check that they are applying access control where applicable throughout all aspects of the application.
I appreciate the feedback on this vulnerability, and will continue to be a happy user - but please check that these oversights dont exist elsewhere.