tailscale Tailscale has a huge vulnerability if your email domain is not considered shared / private by them.

[Haider Ali Punjabi]

A user of tailscale just posted on reddit that someone randomly joined their Tailnet because they were using a free poczta.pl email account. This also happened to another user who was using their university email and saw a bunch of devices that didn't belong to them. 

It's a developing story - I expect news sources to cover this soon.

Source: https://www.reddit.com/r/Tailscale/comments/1ksy3xy/someone_just_randomly_joined_my_tailnet/
 

P.S: Is there a particular forum where I should post this so that it gets picked up for WAN show? 

[Poinkachu]

59 minutes ago, Haider Ali Punjabi said:

A user of tailscale just posted on reddit that someone randomly joined their Tailnet because they were using a free poczta.pl email account. This also happened to another user who was using their university email and saw a bunch of devices that didn't belong to them. 

It's a developing story - I expect news sources to cover this soon.

Source: https://www.reddit.com/r/Tailscale/comments/1ksy3xy/someone_just_randomly_joined_my_tailnet/
 

P.S: Is there a particular forum where I should post this so that it gets picked up for WAN show? 

If it's big thing enough LMG team would've known either already or soon .

[maplepants]

A tailscale employee ha since posted in that thread, so I'll just put it here as well.

 

Quote

Tailscalar here.

Yeah, this sucks.

 

We’re working on changing the identity model. (how users/domains/tailnets all map to each other)

 

When we first started, we were trying to make it easy for companies to sign up and start working with their coworkers, but we had a special case for @gmail.com users getting their own tailnets (because at the time, we only supported Google Auth). Later we added GitHub, and GitHub special cases for individuals vs orgs (which nicely mapped to our single-user vs multi-user tailnets).

 

Over time, we added more auth providers like (and BYO-OIDC) and this whole assume-a-multi-user-tailnet-unless-gmail-and-192-other-shared-email-hosts model really fell apart. We "decompose" (add to our shared email domain list) tailnets every month or so as we find them. We didn’t have your domain on our list previously.

 

We’re in the middle of changing the identity model to make this class of problem go away entirely, though.

 

Meanwhile, we just chatted about it and seems like the quickest thing we can do here is turn on User Approvals for all new tailnets so at least the admin of new tailnets like yours has to approve people joining them.

Edit: Forgot to add my own thoughts as well

 

If you had asked me a week ago, I would have sworn that User Approvals were always on by default but based on this answer this isn't the case. Good that it's set up that way now, but even when fix their identity model they should keep this setup for all users and only even prompt users to ask them about this setting if they're an Enterprise admin setting up their Enterprise account. 

Edited May 23 by maplepants
Add my thoughts, as I meant to before hitting post too fast