Change Details

I just happened to notice that PAWS's ToolsDB password is publicly available, which appears to contain client OAuth secrets for PAWS users (secrets connected to my account are there and I confirmed via production database queries they're valid). Fortunately, it looks the secrets are related to some older version of PAWS (the associated consumer ID is `0a73e346a40b07262b6e36bdba01cba4`, which has `https://paws.wmflabs.org/paws/hub/oauth_callback` as the callback; the current PAWS consumer sounds to use `https://hub.paws.wmcloud.org/hub/oauth_callback` instead). That being said, it still exposes sensitive tokens for a great amount of users. Considering the secret consumer token was necessarily published within the PAWS container (T120469), this means there can be users with the technical ability to impersonate the old PAWS users on-wiki.

I just happened to notice that PAWS's ToolsDB password is publicly available, which appears to contain client OAuth secrets for PAWS users (secrets connected to my account are there and I confirmed via production database queries they're valid). Fortunately, it looks the secrets are related to some older version of PAWS (the associated consumer ID is `0a73e346a40b07262b6e36bdba01cba4`, which has `https://paws.wmflabs.org/paws/hub/oauth_callback` as the callback; the current PAWS consumer sounds to use `https://hub.paws.wmcloud.org/hub/oauth_callback` instead). That being said, it still exposes sensitive tokens for a great amount of users. Considering the secret consumer token was necessarily published within the PAWS container (T120469), this means there can be users with the technical ability to impersonate the old PAWS users on-wiki. SQL password (and some other secrets) is available in `/data/project/paws/hub-rc`.

I just happened to notice that PAWS's ToolsDB password is publicly available, which appears to contain client OAuth secrets for PAWS users (secrets connected to my account are there and I confirmed via production database queries they're valid). Fortunately, it looks the secrets are related to some older version of PAWS (the associated consumer ID is `0a73e346a40b07262b6e36bdba01cba4`, which has `https://paws.wmflabs.org/paws/hub/oauth_callback` as the callback; the current PAWS consumer sounds to use `https://hub.paws.wmcloud.org/hub/oauth_callback` instead). That being said, it still exposes sensitive tokens for a great amount of users. Considering the secret consumer token was necessarily published within the PAWS container (T120469), this means there can be users with the technical ability to impersonate the old PAWS users on-wiki. SQL password (and some other secrets) is available in `/data/project/paws/hub-rc`.