Page MenuHomePhabricator

PAWS discloses ToolsDB password, disclosing various nonpublic user information
Closed, ResolvedPublicSecurity


I just happened to notice that PAWS's ToolsDB password is publicly available, which appears to contain client OAuth secrets for PAWS users (secrets connected to my account are there and I confirmed via production database queries they're valid).

Fortunately, it looks the secrets are related to some older version of PAWS (the associated consumer ID is 0a73e346a40b07262b6e36bdba01cba4, which has as the callback; the current PAWS consumer sounds to use instead).

That being said, it still exposes sensitive tokens for a great amount of users. Considering the secret consumer token was necessarily published within the PAWS container (T120469), this means there can be users with the technical ability to impersonate the old PAWS users on-wiki. EDIT: /data/project/paws/Tbayer has the consumer secret as well.

SQL password (and some other secrets) is available in /data/project/paws/hub-rc.


Author Affiliation
Wikimedia Communities

Event Timeline

I've disabled the oauth consumer (0a73e346a40b07262b6e36bdba01cba4), to make it impossible to auth any requests via leaked information.

Looks like that's a really old file from when PAWS was inside Toolforge. I've set the file to read-only and will change the database password.

I've also set up a separate database for PAWS that this is probably time to switch it for.

I set all files in the Toolforge version of /data/project/paws to be user and group read only just so that's done.

Working on completing T267683, which already uses a different password, in order to make rotating the password for toolsdb simpler.

PAWS is now running on a separate Trove database (committing the change to git shortly), and I have rotated the credentials for ToolsDB (which it will no longer be using anyway).

The PR is, but it's already deployed. I think that closes this up.

sbassett added a subscriber: sbassett.

@Urbanecm @Bstorm - Can I (or anyone really) make this task public now? I didn't see any problematic data in the task description or comments.

I have no objection, but I am interested if @Urbanecm agrees I covered everything that needs doing first.

I have no objection, but I am interested if @Urbanecm agrees I covered everything that needs doing first.

Was the (now defunct) ToolsDB database dropped as well? I think that should be done as well. If I didn't miss anything, the credentials should be void by now, but I still feel like keeping unnecessary credentials around is a bad thing.

Thanks for fixing this quickly @Bstorm.

No, but I can drop the tables now.

Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 18 2021, 10:35 PM
Urbanecm changed the edit policy from "Custom Policy" to "All Users".

Thanks! I've published the task.