search

d4v3y0rk / ffpass-module

Forget FordPass NPM Module
MIT License
24 stars 7 forks source link

Update to use ford.com address for authentication #10

Closed TerryMooreII closed 2 years ago

TerryMooreII commented 2 years ago

I would trust this a lot more if I knew the auth url was a ford.com address and not potentially your ibmcloud.com function stealing and proxying my creds :)

d4v3y0rk commented 2 years ago

🤷🏼‍♂️ That is the url they setup for auth, not me. You can check the ownership of the url in a whois lookup. https://www.whois.com/whois/ibmcloud.com It is for sure not owned by me. Looks like it is owned by IBM. You can trust them or not. I don’t use this anymore because I no longer have a Ford vehicle.

On Dec 14, 2021, at 3:03 PM, Terry Moore @.***> wrote:

 I would trust this a lot more if I knew the auth url was a ford.com address and not potentially your ibmcloud.com function stealing and proxying my creds :)

You can view, comment on, or merge this pull request online at:

https://github.com/d4v3y0rk/ffpass-module/pull/10

Commit Summary

55e367f Update to use ford.com address for authentication File Changes (1 file) M index.js (4) Patch Links:

https://github.com/d4v3y0rk/ffpass-module/pull/10.patch https://github.com/d4v3y0rk/ffpass-module/pull/10.diff — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

d4v3y0rk commented 2 years ago

I would trust this a lot more if I knew the auth url was a ford.com address and not potentially your ibmcloud.com function stealing and proxying my creds :)

I no longer have any way to test this. Would you like to take over ownership?

d4v3y0rk commented 2 years ago

I would trust this a lot more if I knew the auth url was a ford.com address and not potentially your ibmcloud.com function stealing and proxying my creds :)

Is IBMCloud like AWS or GCP? Does it host user stuff?

TerryMooreII commented 2 years ago

Yes ibmcloud.com is the same as AWS/GCP. Therefore, as a was jokingly referring to, you could have hosted a service on ibmcloud, stole our ford creds and then forwarded that request off to ford and returning the access token via this module with no one the wiser But like I said, it was a joke. I dont really want to take over this module as I dont actually use it. I found this via a link in another project that is using the same ford api endpoints as you and figured I would fix it upstream before notifying that project. I did test this new URL via postman and it returns the same json object as the current ibmcloud url.

TerryMooreII commented 2 years ago

btw, this was great work sniffing the app traffic to get this info. Much appreciated!