Closed huntr-helper closed 3 years ago
salbahra
commented
3 years ago I am not sure who runs Huntr.dev nor why I should trust them with my Github OAuth. With that said, I did try to login to this website to view this report however the report still cannot be viewed. You are welcome to email us at support@opensprinkler.com.
adam-nygate
commented
3 years ago Hey @salbahra, sorry about that!
We ask for login via GitHub so that we know that you're the maintainer and to give you privileges (e.g. validating/invalidating the vulnerability). Not sure why it didn't work, but looking in to it now.
In the meantime, I'll email you the disclosure content so that you can review.
Apologies for the inconvenience!
salbahra
commented
3 years ago Thank you for the quick reply. I believe it wants me to login with my organization and not my personal but it never asked me which organization.
adam-nygate
commented
3 years ago Thank you for the quick reply. I believe it wants me to login with my organization and not my personal but it never asked me which organization.
Ah, nah, it'll be expecting you to login with your personal. In any case, I've just pinged you the details :)
salbahra
commented
3 years ago Thank you for providing the report to me. After review, I can report the issue has been resolved and can disclose this to the public.
The issue reported to us was regarding our Google Maps API key used for geolocation within the application to aid resolving map locations to coordinates. This API key can be locked down or restricted in two ways from Google. One is to use referrer or IP rules to identify who is allowed to use the key. The other is to restrict which API's the key can be used for. Furthermore, quotas can be established to prevent use past a certain amount for a set time period.
Our application employed two of the three restrictions (API restriction and quotas) however was not using the referrer restriction. The report identifies this results in our keys being freely available for anyone to use (within our set quotas). To be fair, we knew about this from the start but chose to proceed this way because our application is available on many platforms outside of the web. These platforms make the referrer restriction difficult as it won't be consistent or even present.
Because of this report and the clear understanding that there is a potential for abuse which at the very least could burden the experience of OpenSprinkler customers, we have decided to employ these referrer restrictions. We have made sure to add referrer's for all our native applications and will improve and adjust if any issues arise.
This resolves the issue reported.
Thanks again for your report!
JamieSlome
commented
3 years ago @salbahra - happy to hear that the advisory has been helpful in remediation!
If possible, can you please confirm the patch commit SHA?
I will go ahead and validate and track this against the advisory once you confirm.
Cheers! 🍰
salbahra
commented
3 years ago The solution required no code changes and as a result I do not have a commit to show you. The only change required was a setting change in Google Cloud Console.
Thank you, Samer
JamieSlome
commented
3 years ago @salbahra - awesome, thanks for the further information.
Have a great rest of your day!
👋 Hello, @salbahra, @PeteBa, @Derpthemeus - a potential high severity Improper Access Control vulnerability in your repository has been disclosed to us.
Next Steps
1️⃣ Visit https://huntr.dev/bounties/1-other-OpenSprinkler/OpenSprinkler-App for more advisory information.
2️⃣ Sign-up to validate or speak to the researcher for more assistance.
3️⃣ Propose a patch or outsource it to our community - whoever fixes it gets paid.
Confused or need more help?
Join us on our Discord and a member of our team will be happy to help! 🤗
Speak to a member of our team: @JamieSlome
This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.