Security vulnerability: all saved user data is accessible by anyone #72
Comments
|
If you'd like to test the delete with ID 4988, go ahead. Let me know when you've deleted it and I can check on my end to ensure the deleted happened. |
|
I haven't tested yet, but I certainly will very soon. Thanks for pointing
this out, and I'm sorry if I missed your email!
…On Wed, Dec 20, 2017 at 1:17 PM, Chris Mildebrandt ***@***.*** > wrote:
If you'd like to test the delete with ID 4988, go ahead. Let me know when
you've deleted it and I can check on my end to ensure the deleted happened.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#72 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AHFx1804VCsLelIly_id3zfZS1kwivM7ks5tCU9VgaJpZM4RIvVY>
.
|
|
@eyeofthefrog , I believe that the combination of username + ID is necessary to delete the simulation. If you share the username that created that sim, I will give it a go.
✌️ |
|
Sure, it's the same as here...eyeofthefrog :) |
|
Simulation 4988 has been deleted : P |
|
Yep, I can verify that. |
|
This may be obvious, but just for the record, this problem comes down to the fact that there is no authentication on the server. A developer can send off HTTP requests inputting any user that they want, and the server does not check that they are being honest. Adding authentication to the server would solve the problem. |
|
Yeah, I'm actually aiming to rewrite the whole site in python/django and
add in better auth (and actual API endpoints) early next year.
…On Wed, Dec 20, 2017 at 2:24 PM, James, please ***@***.***> wrote:
This may be obvious, but just for the record, this problem comes down to
the fact that there is no authentication on the server. A developer can
send off HTTP requests inputting any user that they want, and the server
does not check that they are being honest. Adding authentication to the
server would solve the problem.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#72 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AHFx19R6JGjD3K2dRUwIhhTJdb7aV13wks5tCV33gaJpZM4RIvVY>
.
|
|
@boknows , if you're interested in working together on that rewrite, let me know. I'm working on an app that has a cFIREsim-like calculator. I'd be happy to share ideas/code with ya if you think it could be useful ✌️ |
There are two security problems with cFIREsim that expose user data.
The first issue is straightforward to reproduce: use the globally-available
Simulation.getSavedSim();method, and pass it a string SIM ID. Because cFIREsim uses incrementing IDs in the database, it is easy to just loop through and load every saved SIM in the system.I haven't tried clicking "Delete this saved sim" to delete someone else's sim, but my prediction is that it would go through with the action.
Without a username attached, this might not be too worrisome. Maybe the user has some personally-identifying information in the SIM name, but maybe not.
This is where the second problem comes in. You can find the Sim IDs associated with a user by sending the system the right HTTP request. One way to do this is to create a DOM node with the ID "username" with the content that is the user's username. Once you have that DOM element attached to the document, you can call
Simulation.getSavedSim()to retrieve the user's SIM ids.Of course, to do this you need to know the user's username. I wasn't sure what the form of a username might be, so I clicked "login" to look for any clues. There, I noticed the text "phpBB3" in the URL. I had my answer: the usernames in the forum must be the same ones used for the service.
It turns out this is correct.
So anyone can:
The problem is that people likely put personal information into their sims that they wouldn't want the world to know about, such as the amount that they have saved. And they probably have the expectation that their data is secure, but it is not. cFIREsim should be updated to only allow the person who made the SIM to access it.
Until that time, I believe that the app should clearly state that the data is not secure.
I originally emailed this to @boknows on Nov. 19th, 2017, but didn't hear back, so I'm opening this issue.
Thanks for reading!
The text was updated successfully, but these errors were encountered: