[GH-ISSUE #853] Brute force Subscription Names #599

New issue

Closed

opened 2026-05-07 00:25:43 +02:00 by BreizhHardware · 2 comments

BreizhHardware commented

2026-05-07 00:25:43 +02:00

Owner

Originally created by @vysecurity on GitHub (Aug 31, 2023).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/853

If you host an externally accessible ntfy server. Couldn't someone brute force the subscription names to:

Read the subscription
SPAM your subscription

There doesn't appear to be any authentication by default. It's publicly accessible by default.

Why is it not "secure by default"?

Originally created by @vysecurity on GitHub (Aug 31, 2023). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/853 If you host an externally accessible ntfy server. Couldn't someone brute force the subscription names to: 1) Read the subscription 2) SPAM your subscription ? There doesn't appear to be any authentication by default. It's publicly accessible by default. Why is it not "secure by default"?

BreizhHardware closed this issue

2026-05-07 00:25:43 +02:00

BreizhHardware commented

2026-05-07 00:25:43 +02:00

Author

Owner

@Mr-KayJayDee commented on GitHub (Sep 1, 2023):

You can enable auth using nginx or any reverse proxy you are using ˆˆ

@Mr-KayJayDee commented on GitHub (Sep 1, 2023): You can enable auth using nginx or any reverse proxy you are using ˆˆ

BreizhHardware commented

2026-05-07 00:25:44 +02:00

Author

Owner

@binwiederhier commented on GitHub (Sep 1, 2023):

If you host an externally accessible ntfy server. Couldn't someone brute force the subscription names

If you don't have ACLs set up, the topic name is your password, it says so everywhere. If you choose a easy-to-guess/dumb topic name, people will be able to guess it. If you choose a randomly generated topic name, the topic is as good as a good password.

As for brute forcing: it's not possible to brute force a ntfy server for very long, as you'll get quickly rate limited. For ntfy.sh, there's even a fail2ban in place which will ban your IP pretty quickly. Even without that, brute forcing a random 10 digit topic name would take years.

Why is it not "secure by default"?

Sometimes, convenience is more important than security. Sometimes, it doesn't really matter all that much if people know "backup xyz is done".
It is 100% secure by default if you choose a good topic. It just puts the responsibility on the user.
ntfy is simple, simple, simple. Passwords, accounts and all that are the opposite of simple.

@binwiederhier commented on GitHub (Sep 1, 2023): > If you host an externally accessible ntfy server. Couldn't someone brute force the subscription names If you don't have ACLs set up, the topic name is your password, it says so everywhere. If you choose a easy-to-guess/dumb topic name, people will be able to guess it. If you choose a randomly generated topic name, the topic is as good as a good password. As for brute forcing: it's not possible to brute force a ntfy server for very long, as you'll get quickly rate limited. For ntfy.sh, there's even a fail2ban in place which will ban your IP pretty quickly. Even without that, brute forcing a random 10 digit topic name would take years. > Why is it not "secure by default"? 1. Sometimes, convenience is more important than security. Sometimes, it doesn't really matter all that much if people know "backup xyz is done". 2. It is 100% secure by default if you choose a good topic. It just puts the responsibility on the user. 3. ntfy is simple, simple, simple. Passwords, accounts and all that are the opposite of simple.

BreizhHardware referenced this issue

2026-05-07 01:01:41 +02:00

[PR #599] [CLOSED] Support MQTT for sending notification #1343