search

gitcoinco / web

Grow Open Source
https://gitcoin.co
Other
1.78k stars 771 forks source link

User's Github Token Is Publicly Visible After Login #5407

Closed mul1sh closed 4 years ago

mul1sh commented 4 years ago

Describe the bug Like the title says, after login into gitcoin, a users github oauth token is appended as a variable in a script tag as follows

<script>
let currentProfile = {
  username: "mul1sh",
  githubToken: "XXXXXXXXXXXXXXX",
  isStaff: "False" != "False",
  isModerator: "False" != "False"
};
</script>

This makes it very easy for malicious browser extensions, add-ons or scripts running in the background to parse the page after login, get this token and use to get private user data i.e. emails, repo information e.t.c

To Reproduce

  1. Simply login into gitcoin with your github account.
  2. After login, right click on the page and select the option View Page Source.
  3. Scroll down to the very bottom and you'll see your github oauth token for gitcoin publicly visible and accessible to all iframes, browser extensions, scripts and add-ons.

Expected behavior This token should be hidden as it can be used to easily gather private information from a user's github profile i.e. email addresses, with the intention of using this info maliciously i.e. spamming e.t.c

Related To Issue

5399

Desktop (please complete the following information):

oritwoen commented 4 years ago

I wonder how to treat it. Information about the token is visible only to a given user in the source of the page only when he logs in.

The attacker would therefore need to have physical access to the victim or the user's computer would have to be infected and have dangerous "viruses".

And if something like this happens, it doesn't matter if the token is displayed here or not. Then just entering GitHub will result in the account being hijacked. Or just entering and logging into the bank's website will allow someone to manipulate transfers.

You can consider the possibility of stealing a token via XSS on the portal and discuss hiding it, and this is rather the biggest threat.

Personally, I see that all the time developers care about security and patches on these issues are added on a regular basis. I even do security audits myself and other users too. So the XSS threat is also getting smaller all the time.

mul1sh commented 4 years ago

@ririen hmmm..this is not only a threat if the attacker has physical access to the user's computer but also browser extensions/ add-ons/themes can all read this token, because they run in the background by default and can access the current page easily.

And yes of course XSS or even simple phishing via iframes would allow an attacker to gain access to the token once the user has logged in.

oritwoen commented 4 years ago

And yes of course XSS or even simple phishing via iframes would allow an attacker to gain access to the token once the user has logged in.

It is not possible to use iframe with a gitcoin domain outside. There is no threat in this matter. There is adequate security for this on the entire platform.

hmmm..this is not only a threat if the attacker has physical access to the user's computer but also browser extensions/ add-ons/themes can all read this token, because they run in the background by default and can access the current page easily.

You miss a very important perspective. Each page/platform with users MUST contain in its source the user's private data after logging in, it is necessary for its operation.

It doesn't matter if it's Facebook, Google or Gitcoin, each after logging in the user contains very sensitive data in the source of the page because it is necessary.

The best example are, for example, CRSF tokens which are located in the source of the page at each form and are a specific protection against the use of the system by outsiders. They are very private and their leakage or lack would mean that someone can manipulate the logic of the application. Your entry would suggest that you also need to hide them because they are very private and thus a gateway to a lot of new threats.

<input type="hidden" name="csrf-token" value="CIwNZNlR4XbisJF39I8yWnWX9wX4WFoz" />

The source of the page will always contain private and sensitive data after logging in. Another example is simply the settings page where privately set data is displayed, often extremely sensitive.

but also browser extensions/ add-ons/themes can all read this token, because they run in the background by default and can access the current page easily.

Here you are already suggesting that platform creators/developers should take responsibility for the fact that the user uses the browser in a dangerous and inattentive manner and installs everything that he can without checking.

Packages with extensions and everything else from the official browser stores contain specific information about what permissions a given package receives after installing.

In addition, before appearing in the store, their sources are further verified by the developers of the browser and if they are dangerous, they are rejected.

However, if the user decides to additionally install something from unverified sources and does not check them himself, he is irresponsible.

mul1sh commented 4 years ago

@ririen ok thanks for clarifying, closing this one now.