yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1502280] Re: Visible token in HTTP

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <fungi@xxxxxxxxxxx>
Date: Mon, 05 Oct 2015 14:14:54 -0000
Reply-to: Bug 1502280 <1502280@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
As noted, the security promise of bearer tokens relies on not exposing
them to a would-be attacker, so this is a shortcoming of your deployment
configuration not a security vulnerability in the underlying
implementation.

** Information type changed from Private Security to Public

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
  It is possible for a 3rd party to read the federated user token during a
  federated login.
  
  I am trying with branch origin/master, commit
  f485c3bdea13c1959db1eec2936690addd87b492.
  
  I installed openstack using devstack. Then, I installed websso following
  the steps on official documentation
  (http://docs.openstack.org/developer/keystone/configure_federation.html).
  I am using Shibboleth and testing with testshib.org
  
  I managed to get logged in using testshib. But, if I use wireshark to
  read the messages exchanged between my browser and the server, I am able
  to capture the token.
  
  The capture happens when keystone uses a POST to communicate the token
  to horizon (an http POST to /dashboard/auth/websso) .
  
  I later used the retrieved token to successfully access the federated
  user's projects using the API.

** Changed in: ossa
       Status: Incomplete => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1502280

Title:
  Visible token in HTTP

Status in Keystone:
  Won't Fix
Status in OpenStack Security Advisory:
  Invalid

Bug description:
  It is possible for a 3rd party to read the federated user token during
  a federated login.

  I am trying with branch origin/master, commit
  f485c3bdea13c1959db1eec2936690addd87b492.

  I installed openstack using devstack. Then, I installed websso
  following the steps on official documentation
  (http://docs.openstack.org/developer/keystone/configure_federation.html).
  I am using Shibboleth and testing with testshib.org

  I managed to get logged in using testshib. But, if I use wireshark to
  read the messages exchanged between my browser and the server, I am
  able to capture the token.

  The capture happens when keystone uses a POST to communicate the token
  to horizon (an http POST to /dashboard/auth/websso) .

  I later used the retrieved token to successfully access the federated
  user's projects using the API.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1502280/+subscriptions