gratipay / security-00000 Goto Github PK
View Code? Open in Web Editor NEWdeal with leak of Venmo access/refresh tokens
security-00000's People
Contributors
Watchers
security-00000's Issues
deal with leak of Venmo access/refresh tokens
@Changaco asked for a dump of the elsewhere table as part of his work on gratipay/gratipay.com#1369 (IRC). I gave him:
- a snippet of the table as a gist
- a dump of the whole table (~60k rows) uploaded to http://static.whit537.org/2014/elsewhere.tbz (now 404).
I had decided this was acceptable because the elsewhere table doesn't contain any information that's not publicly accessible via existing APIs (the user_info comes from public APIs on other platforms, and the link between a Gittip account and an account elsewhere is scrapable on public Gittip). Except that it does. In gratipay/gratipay.com#1857, when we added the ability to connect a Venmo account, we added access_token and refresh_token fields to the elsewhere table. These are private tokens that can presumably be used to impersonate a Venmo user, which is a big deal because Venmo is a payments company and impersonating a user would likely mean taking their money.
The gist does not contain any access_tokens or refresh_tokens, because I only included the bitbucket, bountysource, github, and twitter platforms in that gist (I didn't have venmo in mind, clearly), and we don't store oauth tokens for those platforms.
The elsewhere.tbz file contains Venmo tokens for approximately 49 users (depending on the exact state of the database when I did the export; currently there are 49 users with venmo attached).
I've taken down the elsewhere.tbz file. The static.whit537.org web server does not keep access logs, so I don't know how many times elsewhere.tbz was downloaded. It was up from Feb 4 at 12:53pm US/Eastern until today, Feb 7 at 8:45am US/Eastern.
Next steps:
- Understand the implications of leaking oauth access and refresh tokens.
- Decide how to repair the damage.
- Decide what notification of affected users is necessary.
- Decide what notification to Venmo is necessary.
I believe we should be able to simply revoke at least one of the tokens, and hopefully both.
We have another situation with Venmo where we're using an oauth app registered under my personal Venmo account, and would like to move to an oauth app registered under the Gittip Venmo account. It could make sense to make that switch as part of dealing with this ticket.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.