The API integration to manage users expose to clients sensitive user data, such as the TOTP secret.
GET /api/users/416080f9-0cce-4d56-904a-3db9a0c094cf HTTP/1.1
Host: eyedp.example.com:3000
Cookie: _eyed_p_session=f98fa6de3e8ec06d6ffc72ea6dc4f329
Connection: close
X-Api-Key: 67616da9fbdbe0396513487f7eca8542e0fc9e6edae37853fa71fbc3d56af0b0f1c950b8809445be8a0987e7c206323f
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Connection: close
Content-Length: 1223
{
"status":"ok",
"result":{
"id":"416080f9-0cce-4d56-904a-3db9a0c094cf",
"created_at":"2022-01-18T14:26:38.991Z",
"updated_at":"2022-01-23T22:27:21.312Z",
"username":"user1",
"name":"User",
"encrypted_otp_secret":"o7lbTBZvBH7iBioWntpjGUNlxvfNTZne6EAo0p+B2xIqL6ePVh3zSB0d/l/w\n7twm\n",
"encrypted_otp_secret_iv":"sBOyxs/aAgncSK0w\n",
"encrypted_otp_secret_salt":"_cUUKsIuQJw9KWn5JjHS76Q==\n",
"consumed_timestep":54765894,
"otp_required_for_login":true,
"otp_backup_codes":[
"$2a$11$ieqa7p4xbSwqCOtgtCBMB.t.7KqM/QmzeqxiCakEee1v8UBpvC9MC",
"$2a$11$Ck4PwHBlMEjrw8.5BFzcNeMwf1SdJ0lswozJfqvaGwql92GHdyXOG",
"$2a$11$MjGysJhEajZx2.Qu1K8tRuUYOm2tW.VV4du5vWyCffm2xH6KuZtu.",
"$2a$11$myRgd7YyECCe.vEaqcqtW.Pkr/raqNxrWJBqzaB0eInaTFz/qopW.",
"$2a$11$zTUjVUSaVqp.9MUS5tWpr.1XBfamE05lIBVQmguitg5SuEowR6bmC",
"$2a$11$wBh8v2zknbwE8VnGdGCWR.e.VK8QV4un0IZM30kChlie0KJy1F1tu",
"$2a$11$Ef/8tKfW9BPPNMS0ICg4SermOPd8Ns.svCpuPZEYfJChaJlOlP0KG",
"$2a$11$Q/I8OjzPArGJv64/EbGR6u6G/F19nmx.OcFLFmQzTN2ig4glIvGlG",
"$2a$11$Ypb09L1j0kyuHbbx.zu5peIlTPEtCYIvjLuT3DpeWDuc5S4W8zFL6",
"$2a$11$EBhhUvoEWkMVCyvIMqCYDexqobQFcN/cFbq7lVyvKRSVMjxGo5czS"
],
"expires_at":null,
"last_activity_at":"2022-01-23T22:27:23.645Z",
"disabled_at":null,
"otp_secret":"L7S6G6MS3LMKDFAL56E6GMIELXINOM3N"
}
}
Besides the TOTP secret, the response also discloses the hashed backup codes and some encrypted information related to the TOTP implementation.
This API is only accessible with an API key that administrators can generate. However, the holder of the API key can use the disclosed information (namely, the TOTP secret) to impersonate a user, provided they have already compromised the user's password.
The API integration to manage users expose to clients sensitive user data, such as the TOTP secret.
The API
/api/users/:id, implemented by theshowmethod inapi/users_controller.rb, discloses some fields of the user model that are arguably sensitive, such as the secret of the TOTP if the user is enrolled in the two-factor authentication.For example, considering the following request in a test installation, performed with a valid API key.
The response is the following:
Besides the TOTP secret, the response also discloses the hashed backup codes and some encrypted information related to the TOTP implementation.
Impact
This API is only accessible with an API key that administrators can generate. However, the holder of the API key can use the disclosed information (namely, the TOTP secret) to impersonate a user, provided they have already compromised the user's password.
Patches
This issue is resolved in commit 1d19cabd. Users should upgrade to the latest commit on main or to a 1.0.0 or later release.
Workarounds
None
For more information
If you have any questions or comments about this advisory: