[Security] Sensitive user information displayed api response requests
closed
Aiyumei Resident
The following values should be hidden or encrypted from the api requests as they impose security risk to users' data:
- user id is displayed in the body of the network requests when opening - this can be used for penetration of the backend or for sql injections to affect users' data.
- api body data on login with in-world code/the verified of the code and session tokens are visible in the responses - this information can be intercepted if the user is not using secure connection and used to hack their accounts.
Log In
Luke Rowley
closed
Hi Aiyumei, I'm closing this as Primfeed using HTTPS only for their requests, the only way to get the session token would be for the attacker to spoof your DNS, and I'm fair confident that your Primfeed account won't be their main target
Aiyumei Resident
Hey Luke Rowley it can be done with unprotected network such as often home shared wi-fi or public one which often lack the necessary security protocols.
Other way it can be done is by using network traffic tools like Wireshark, tool for advanced network monitoring that can intercept based on IP, we can already obtain people's IP address inworld from shared media therefor the person is already semi-exposed.
Please keep in mind exposing any additional identification data end up as violation of EU GDPR laws.
We all wish Primfeed to be a great place for all SecondLife users to enjoy and actively engage with, but we also wish to be safe and secure for any potential security threat that may arise, no matter how small the chance is.
P.S. The value of the users' response cookie is exposed which is considered as personal identifier and is in direct violation of GDRP.
Aiyumei Resident
I haven't tried to make any tests or attempts to gain access to any backend systems but I was able to successfully intercept the requests and see and acquire the session token for my login from a shared network environment. And since the platform doesn't appear to have cookie expiration nor session authentication this parameter can be hijacked and used to login in the person's account.
Such kind of data returned in the response is too exposed and imposes vulnerability risk. And since you have quite many features planned in the roadmap at some point users will begin to add even more of their information, that includes PII data.
Luke Rowley
under review
Did you find anything to do with the user id yet? Let me know, otherwise I don't see how exposing the user id is a security issue at the moment.