ccpgames / sso-issues

Please file issues with the CCP SSO (login.eveonline.com) here.
17 stars 1 forks source link

SSO Tokens not revoking on Character Sale [EBR-239105] #79

Closed soratidus999 closed 2 years ago

soratidus999 commented 2 years ago

Bug

SSO Tokens are not being revoked when a character is sold.

As this impacted our Third Party Application an EBR was logged and emails sent to security@ccpgames.com, full security disclosure here https://gitlab.com/allianceauth/allianceauth/-/issues/1356

As this is now public a summary of the issue is as follows

Reproduction Steps

  1. Authenticate to a Third Party Application and provide a refresh_token
  2. Transfer your character to another account via the CCP transfer character process.

Actual Behaviour

tokens are not revoked and the owner_hash is not changed the tokens are still visible (but not delete-able) to the account that no longer owns the character

Expected Behaviour

tokens should be revoked when an account no longer owns a character

gehnster commented 2 years ago

https://github.com/ccpgames/sso-issues/issues/46 https://github.com/ccpgames/sso-issues/issues/44

Luunae commented 2 years ago

This looks very similar to #5, which was supposedly fixed way back when.

@stebet?

mateuszkrasucki commented 2 years ago

Resolved.

soratidus999 commented 2 years ago

Thankyou sincerely for the update, this has been a cause of significant anxiety for the two months this has been public (and private)

Going public with this was not fun and im glad to put it behind us.

mateuszkrasucki commented 2 years ago

@soratidus999 This was resolved around 17th October, as an employee of the company, apologies for not communicating it better.

gehnster commented 1 year ago

@soratidus999 This was resolved around 17th October, as an employee of the company, apologies for not communicating it better.

Apologies are all well and fine but can we expect better communication in the future as well? I ask this because these types of issues are NOT new. I above listed two issues from 2018 that are very similar and also as dangerous, arguably, as dangerous and while i have not tested them they are STILL open. This would be acceptable if SSOv2 was still a beta but it has since been forced upon us developers with issues like these still open.

So again, while we appreciate your quick 2 day response time to the issue this was closed for, it still sounds like it was two months after it was privately disclosed to you and it is also still a rare moment for you to actually respond to issues on this github repo as MANY are still open from as far back as 2017.