Closed soratidus999 closed 2 years ago
This looks very similar to #5, which was supposedly fixed way back when.
@stebet?
Resolved.
Thankyou sincerely for the update, this has been a cause of significant anxiety for the two months this has been public (and private)
Going public with this was not fun and im glad to put it behind us.
@soratidus999 This was resolved around 17th October, as an employee of the company, apologies for not communicating it better.
@soratidus999 This was resolved around 17th October, as an employee of the company, apologies for not communicating it better.
Apologies are all well and fine but can we expect better communication in the future as well? I ask this because these types of issues are NOT new. I above listed two issues from 2018 that are very similar and also as dangerous, arguably, as dangerous and while i have not tested them they are STILL open. This would be acceptable if SSOv2 was still a beta but it has since been forced upon us developers with issues like these still open.
So again, while we appreciate your quick 2 day response time to the issue this was closed for, it still sounds like it was two months after it was privately disclosed to you and it is also still a rare moment for you to actually respond to issues on this github repo as MANY are still open from as far back as 2017.
Bug
SSO Tokens are not being revoked when a character is sold.
As this impacted our Third Party Application an EBR was logged and emails sent to security@ccpgames.com, full security disclosure here https://gitlab.com/allianceauth/allianceauth/-/issues/1356
As this is now public a summary of the issue is as follows
Reproduction Steps
Actual Behaviour
tokens are not revoked and the owner_hash is not changed the tokens are still visible (but not delete-able) to the account that no longer owns the character
Expected Behaviour
tokens should be revoked when an account no longer owns a character