Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical Security Alert #2389194 #1691

Closed
2 tasks done
entrotech opened this issue May 7, 2024 · 1 comment · Fixed by #1693
Closed
2 tasks done

Critical Security Alert #2389194 #1691

entrotech opened this issue May 7, 2024 · 1 comment · Fixed by #1693
Assignees
@entrotech
Labels
bug Release Note: Shows as Error Correction features: Security Testing level: easy priority: MUST HAVE role: back-end Node/Express Development Task size: 0.25pt Can be done in 1.5 hours or less time sensitive
Milestone
02 - Security

Comments

@entrotech
Copy link
Member

entrotech commented May 7, 2024
edited
Loading

Describe the bug

ITA reported a Critical Security Bug, which they all Alert # 2389194. This is a vulnerability in the Update Account feature, where a malicious user can create their own account, and modify a PUT request to the endpoint for updating an account to update a different users account. This feature should be disabled until it can be better secured.

Steps

  • It looks like the endpoint is not secured properly, allowing a malicious user to impersonate a different user.
  • Either fix the vulnerabilty or disable the feature until it can be secured properly.

References

Alert2486073.pdf
@entrotech entrotech added bug Release Note: Shows as Error Correction role: back-end Node/Express Development Task level: easy priority: MUST HAVE features: Security Testing time sensitive size: 0.25pt Can be done in 1.5 hours or less labels May 7, 2024
@entrotech entrotech self-assigned this May 7, 2024
@entrotech entrotech changed the title Critical Security Alert # Critical Security Alert #2389194 May 7, 2024
This was referenced May 7, 2024
Closed
Merged
@entrotech
Copy link
Member Author

Fixed vulnerability by modifying the controller method for /api/accounts/:id/updateAccount to be just /api/accounts/updateAccount, and for the corresponding controller method to retrieve the user's id from the JWT, rather than the web api request url or body. This way, an authenticated user can only update their own login.

The required Hotfix 0.2.50 in production, as well as PR #1693 to do a more comprehensive fix to development.

@ExperimentsInHonesty ExperimentsInHonesty added this to the 02 - Security milestone May 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@entrotech entrotech

Labels
bug Release Note: Shows as Error Correction features: Security Testing level: easy priority: MUST HAVE role: back-end Node/Express Development Task size: 0.25pt Can be done in 1.5 hours or less time sensitive
Projects
P: TDM: project board
Status: Released
Milestone
02 - Security
2 participants
@entrotech @ExperimentsInHonesty