Users of shared terminals can see the email address, user token, and service tokens of users from other organizations

datawire / datawire-cli

Datawire Cloud tools and utilities

1 stars 0 forks source link

Users of shared terminals can see the email address, user token, and service tokens of users from other organizations #29

Closed janicedatawire closed 8 years ago

janicedatawire commented 8 years ago

As user jmk4 in org H3PSFJ7NZ2 I can see user and service info about users in other organizations (in this case user jmk1 in BJSJ7HV3JD) if I look at the datawire.json state file:

{
    "orgID":"H3PSFJ7NZ2",
    "orgs":{
        "BJSJ7HV3JD":{
            "email":"jmk1@example.org",
            "service_tokens":{
                "service1":"<token>"
            },
            "user_token":"<token>"
        },
        "H3PSFJ7NZ2":{
            "email":"jmk4@example.org",
            "user_token":"<token>"
        }
    }
}

kflynn commented 8 years ago

datawire.json itself is protected by UNIX. This is only an issue if two users are actually sharing an account – which is to say, it's only an issue in a case where the two users will be indistinguishable by basically everything.

We could protect against this case by encrypting the entry in datawire.json and requiring each user to unlock their record before doing anything, but it's so many sigmas from our design goals I'm disinclined to bother.