Pages: [1] :: one page |
|
Author |
Thread Statistics | Show CCP posts - 1 post(s) |
Pete Butcher
KarmaFleet Goonswarm Federation
271
|
Posted - 2015.02.13 14:40:34 -
[1] - Quote
Turns out, since CREST became public, I was sending a wrong Authorization header to /oauth/token due to a bug in my code. And guess what? For those 2 months everything worked fine. I don't know why the server let me in every single time, but this implies CREST might have some security issues inside.
http://evernus.com - the ultimate multiplatform EVE trade tool + nullsec Alliance Market tool + Trade Advisor
|
Pete Butcher
KarmaFleet Goonswarm Federation
271
|
Posted - 2015.02.14 10:15:22 -
[2] - Quote
The lack of any response from CCP to this is quite.. interesting. Well I did some experiments and actually managed to crash(?) the /oauth/token endpoint ("Internal server error. Error ref: 838725f6-2778-4e99-a9c6-9ad96f899fdf"). Let me repeat what's going on here:
You have a broken authorization validation, which possibly can be exploited (or at least made to crash).
http://evernus.com - the ultimate multiplatform EVE trade tool + nullsec Alliance Market tool + Trade Advisor
|
Pete Butcher
KarmaFleet Goonswarm Federation
271
|
Posted - 2015.02.14 10:53:28 -
[3] - Quote
And I just managed to authorize myself using forged base64 authorization data. Poor show CCP
http://evernus.com - the ultimate multiplatform EVE trade tool + nullsec Alliance Market tool + Trade Advisor
|
Kali Izia
GoomWaffe Goonswarm Federation
32
|
Posted - 2015.02.14 11:08:04 -
[4] - Quote
If you think there's a security issue with SSO, e-mail [email protected].
Or you know, at least give someone more than 20 hours on a weekend to respond. |
Pete Butcher
KarmaFleet Goonswarm Federation
271
|
Posted - 2015.02.14 11:11:18 -
[5] - Quote
Kali Izia wrote:If you think there's a security issue with SSO, e-mail [email protected]. Or you know, at least give someone more than 20 hours on a weekend to respond.
I think I'll compile a list of problems I found and mail them. If some app was actually authorizing itself as another, things would be pretty bad.
http://evernus.com - the ultimate multiplatform EVE trade tool + nullsec Alliance Market tool + Trade Advisor
|
|
CCP FoxFour
C C P C C P Alliance
3931
|
Posted - 2015.02.14 11:12:39 -
[6] - Quote
As was pointed out, [email protected] would be the place to go with this. Sorry for the late response, you posted late on a Friday when most of us were heading home for the day.
@CCP_FoxFour // Technical Designer // Team Size Matters
Third-party developer? Check out the official developers site for dev blogs, resources, and more.
|
|
Pete Butcher
KarmaFleet Goonswarm Federation
271
|
Posted - 2015.02.14 11:21:19 -
[7] - Quote
CCP FoxFour wrote:As was pointed out, [email protected] would be the place to go with this. Sorry for the late response, you posted late on a Friday when most of us were heading home for the day.
Will do. Right now you can basically authorize as any app you want.
http://evernus.com - the ultimate multiplatform EVE trade tool + nullsec Alliance Market tool + Trade Advisor
|
|
|
|
Pages: [1] :: one page |
First page | Previous page | Next page | Last page |