Page MenuHomePhabricator

Need approval of new oauth secret for phabricator
Closed, ResolvedPublic

Description

I accidentally set the view policy to Public on T96618 because I didn't notice that there was actual sensitive information in the comments thread. I quickly corrected the mistake, however, I can't be sure who might have read the comments in the intervening time. I've set up a new oauth consumer on wikimedia.org:

You have been assigned a consumer token of e3da7a1b8fcd55b28316c9913e1688b7 and a >secret token of c193d0b9233f63f92b09e69986fc14a2ae75c052. Please record these for >future reference.

But I need a wiki admin to approve it so that I can switch phabricator to use the new consumer key & secret.

I believe @csteipp or @RobLa-WMF can approve.

For future reference, these users can approve oauth consumers:

Also, it's not actually necessary to create a new oauth consumer entry, once one is approved you can just go here, find the consumer, click manage, then check "Reset the secret key to a new value," enter a reason and submit the form. This generates a new secret key without creating a new consumer key.

Event Timeline

mmodell created this task.Feb 29 2016, 2:44 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 29 2016, 2:44 AM
mmodell added a subscriber: hoo.Feb 29 2016, 3:27 AM

@hoo approved my new consumer, switching phabricator to use the new one now.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptFeb 29 2016, 3:27 AM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript

And that's done. I was able to log in with oauth after inputting the new oauth consumer keys.

@csteipp: I am relatively sure that this couldn't enable a major security breach since the oauth provider on mediawiki.org does not enable any api access, however, I may not fully understand the implications. Am I missing anything? Does this need to be treated as a potential security breach?

Hi @mmodell , I can't say that I understand the oAuth stuff deeply enough to be in the escalation path for this. I might be able to take ownership of the general "escalation path" issue (not just for oAuth, but generally as part of a decision tree that includes oAuth), but I would need the help of a lot of people to put us on an incremental path toward a reasonably robust solution. I seem to recall that there's a task about this already (possibly even assigned to me). Mukunda, do you anticipate that the escalation path problem for oAuth will likely be an urgent 24x7 problem in the near term?

mmodell updated the task description. (Show Details)Feb 29 2016, 6:09 AM

@RobLa-WMF I don't think so. It was mainly a misunderstanding - I didn't realize I could re-generate the token without anyone's approval. (See my last edit to this task's description)

The only remaining issue is for csteipp to confirm that I haven't underestimated the severity of what I did. The old oauth token was disabled within a few minutes and I don't really think it is possible for the token to be used for seriously damaging purposes. Despite all that, I would appreciate someone checking my assumptions before I close this task.

Thanks for the explanation, @mmodell! I'm glad you got a little jumpy when you weren't sure if you'd opened up a big security hole; it's great knowing people are diligent about security concerns.

Just FYI, the "escalation path" issue from my earlier comment is T115852, which I'm suggesting we treat as an TechCom-RFC.

Glad this got resolved! @mmodell, feel free to call/text/hangout me in the future if you need me right away.

@csteipp: I am relatively sure that this couldn't enable a major security breach since the oauth provider on mediawiki.org does not enable any api access, however, I may not fully understand the implications. Am I missing anything? Does this need to be treated as a potential security breach?

Yeah, the risk if very low from this since all of the Consumers have had no grants-- so even if someone used it and phished users into approving it, they wouldn't be able to do anything as the user.

We should revoke the old key, 038ec949b263dc807b0079fd88538f37. I'll do that.

Oh, looks like you reset the secret. That's good enough.

And it would probably be good to reset the secret for e3da7a1b8fcd55b28316c9913e1688b7 that you posted on this ticket. Just so it's not available in Phab content.

If someone can MITM the connection between Phabricator and mediawiki.org, they could also forge identity assertions if they have that secret, so best to not leave it around anywhere it doesn't have to be.

csteipp triaged this task as Medium priority.Feb 29 2016, 10:40 PM

@csteipp: Ok I'll reset the secret once again, it will definitely be safer to not have it stored somewhere that's easily exposed. And thank you for checking my assumptions.

I apologize for being careless and also for pinging a bunch of people on a sunday.

mmodell closed this task as Resolved.Mar 1 2016, 12:18 AM

Ok it's reset. Should this task remain private?

Probably no reason to.

mmodell updated the task description. (Show Details)Mar 1 2016, 3:18 AM
mmodell changed the visibility from "Custom Policy" to "Public (No Login Required)".
mmodell changed the edit policy from "Custom Policy" to "All Users".
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptMar 1 2016, 3:18 AM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Restricted Application added a subscriber: Malyacko. · View Herald Transcript
mmodell changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 1 2016, 3:18 AM
mmodell changed the edit policy from "Custom Policy" to "All Users".
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptMar 1 2016, 3:18 AM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
mmodell changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 1 2016, 3:19 AM
mmodell changed the edit policy from "Custom Policy" to "All Users".
mmodell changed Security from Software security bug to None.