search

yadayada / acd_cli

An unmaintained command line interface and FUSE filesystem for Amazon (Cloud) Drive
Other
1.35k stars 165 forks source link

Not my file #549

Closed thibautcornolti closed 7 years ago

thibautcornolti commented 7 years ago

Hi, My acd_cli has got a recent database corruption in node.db. I removed it and I executed "acd_cli sync". But since that moment, I have the files of another person and I can download and see his files, upload and remove files! (Obviously I will not touch his files). Is there not a problem in acd_cli ? EDIT: I specify that even I remove the node.db, when I sync I have again the same cloud of this person Thanks!

yadayada commented 7 years ago

Please contact (preferably phone) the Amazon support immediately.

thibautcornolti commented 7 years ago

Ok I will call Amazon tomorrow concerning that. It's strange...

thibautcornolti commented 7 years ago

Hi, I called Amazon and they have understood nothing or they do not care, "it's not their stuff because it's not their software"...

davidjameshowell commented 7 years ago

I would assume that would be some type of Amazon Drive issue and not related to ACD_CLI due to the nature of how it is making federated requests with specific user data.

It may behoove you to get debug logs for listings and uploading files to that account to see the auth that is being generated for those requests. Definitely sounds suspicious though.

thibautcornolti commented 7 years ago

I will send a mail with evidence to Amazon. I don't know really how works acd_cli but I think it's my API Key which have moved of owner maybe ?

thenoahcomputer commented 7 years ago

I suspect you got someone else's auth token somehow, but that should never ever happen or even be possible. I would make a backup of your current oauth_data file (maybe that whole acd_cli cache folder it lives in), move it somewhere else, then re-authorize acd_cli. If you still see other people's files, I would raise holy hell with Amazon until they get the message that their authentication system is compromised. If you see someone else's files, it's entirely possible they can see yours.

Don't expect much though even if you start seeing your own data again. Amazon Drive has been very flaky since yesterday.

Axadiw commented 7 years ago

couple days ago I've got the same behaviour using acd_cli

Saren-Arterius commented 7 years ago

Hi. I suddenly have access to other's files after I deleted the corrupted DB and sync. What the actual fuck??????????

Saren-Arterius commented 7 years ago

image image image

Saren-Arterius commented 7 years ago

I have contacted aws-security@amazon.com and security@amazon.com

tombowditch commented 7 years ago

Ouch. This could be pretty bad. Did you notice any reproducability steps?

Saren-Arterius commented 7 years ago

@madyoda Nope. It happens very randomly. First your DB somehow gets corrupted. Delete it, acdcli sync, then tada.

tombowditch commented 7 years ago

@Saren-Arterius does the amazon web interface show your files?

Saren-Arterius commented 7 years ago

@madyoda The web interface is fine. Maybe acd_cli triggered this server side problem.

thibautcornolti commented 7 years ago

I had exactly the same issue, with the same step to do the bug.

tombowditch commented 7 years ago

@Saren-Arterius interesting - seems like it's some token thing. Keep us updated re: amazon email(s) 👍

thenoahcomputer commented 7 years ago

This is most likely a problem with authentication on Amazon's end. Could be really bad if someone, for example, has an automated script backing up their system to a folder called "backup" and it deletes/replaces someone else's backup folder unnoticed after this glitch occurs.

Perhaps it's worth adding a basic sanity check to prevent since it's happened to more than just a couple people? Maybe have acd_cli write a uuid to a file on acd_cli or otherwise fingerprint the account to ensure it is using the same account as the last time when it syncs nodes and throw a warning if there is a mismatch?

skirsten commented 7 years ago

So this is my take on this: The corrupted db is not the cause of this problem but rather a side effect. I guess that during some regular request (upload, download, file list, etc.) the OAuth token got renewed but what amazon or the appspot authenticator returned was the renewed OAuth of somebody else.

I took a look at the authenticator implementation and it seems pretty solid, so maybe amazon screwed something up on their end.

I'm currently running a get usage information, renew token, check if usage changed loop to reproduce this error but with no success at this time.

ghost commented 7 years ago

Seems to me like this has something to do with the Rate Exceeded Error. Reports of both errors seem to come up at the same time.

nbyloff commented 7 years ago

When I look at the oauth code in acdcli, it uses an AppSpotAuthenticator. Why? Can't authentication be done using a more common OAuth setup?

skirsten commented 7 years ago

@nbyloff Authorization using the Google App Engine (AppSpot) "proxy" is used for simplicity. You can setup a local OAuth callback and use that, see Authorization.

PlasmaPower commented 7 years ago

Has anyone attempted to contact the user whose files they received and find out if they use acd_cli?

Saren-Arterius commented 7 years ago

Their security team replied. I hope this issue can be fixed sooner...

davidjameshowell commented 7 years ago

So it was deemed to be an issue on Amazon's authentication side? An actual issue?

On May 13, 2017 8:29 PM, "Saren Arterius" notifications@github.com wrote:

Their security team replied. I hope this issue can be fixed sooner...

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/yadayada/acd_cli/issues/549#issuecomment-301288661, or mute the thread https://github.com/notifications/unsubscribe-auth/APt9cR4CgaUgK6-CP29siVULfV8EYXIKks5r5nUKgaJpZM4M-emH .

Saren-Arterius commented 7 years ago

@davidjameshowell They did not confirm, but I guess it should be...

tombowditch commented 7 years ago

@Saren-Arterius any idea what they said? If you visit https://tensile-runway-92512.appspot.com/ now, it says unknown client_id. Almost seems like acd_cli got revoked from Amazon.

SchnorcherSepp commented 7 years ago

I learned from Amazon: just wait and see Give the security team some time....

Saren-Arterius commented 7 years ago

@madyoda 

To help us have a full understanding of your report (HGXXXXXXXXX), can you please let us know when exactly did you start experiencing this issue?

Could you please also tell us how you initially authenticated to Amazon Cloud Drive using acd_cdi? I can see different methods described on https://acd-cli.readthedocs.io/en/latest/authorization.html.

Seeing acd_cli no longer works possibly because of this, I somehow feel guilty lol.

tombowditch commented 7 years ago

@Saren-Arterius I wouldn't feel guilty - you potentially stopped a big issue i.e. people accessing each others accounts. I'd mention you used tensile-runway-92512.appspot.com and that's hosted on the Google App Engine. (I also don't know if it's public info but you may want to remove the report ID in the brackets (HG....))

Saren-Arterius commented 7 years ago

@madyoda Thanks for reminding that, the ID is removed.

nob0dy80 commented 7 years ago

shame on you @Saren-Arterius ... since acdcli is down and i cant access my encrypted media files i feel kind of prehistoric :-) If acdcli wont come back i would be kind of lost since i dont know a other way to mount the drive into a folder on linux :-/

tombowditch commented 7 years ago

@nob0dy80 take a look at rclone, specifically this

Saren-Arterius commented 7 years ago

@nob0dy80 rofl didn't expect that

nob0dy80 commented 7 years ago

@Saren-Arterius everythine fine... security first. not your fault at all .. but i hope it will come back, worked great for me.

@madyoda ...oh ..didnt know there is a mount option on rclone. But don't like the word "experimental" when playing arround with my media. But i'll give it a try. Hope the performance is compareable to acdcli.

JulianMiribel commented 7 years ago

Same issue here.

Tried to setup an amazon profile but it seems amazon won't allow API access anymore so I'm stuck.

@Saren-Arterius no worries, I'm more than pleased to know a security hole might be fixed.

nob0dy80 commented 7 years ago

@madyoda thanks again for the hint. testet it now. what can i say. the bufferunderruns with large video files i had with acdcli are gone and the mounting process is arround 300% faster (cause i dont need to resync my database to see new files in my encrypted mount). since i used acdcli only for the mount, i dont see a reason to use it any longer if rclone handles it so well. Lets see how it works in a longer time period....

tombowditch commented 7 years ago

@nob0dy80 yep I am a big fan of rclone 👍 an idea: when (if 😢) acd_cli comes back, setup a unionfs mount with both the rclone mount plus acd_cli mount for extra redundancy if something like this happens again. It's what I'm going to be doing myself, as well as mirroring my stuff over to Google Drive too and setting up a third "redundant" place.

tombowditch commented 7 years ago

On another note...
image

Giantdouche33 commented 7 years ago

any word from Amazon on this issue?

tombowditch commented 7 years ago

@Giantdouche33 @Saren-Arterius would be the one to ask, though it's a Sunday so I wouldn't expect much until tomorrow.

Saren-Arterius commented 7 years ago

@Giantdouche33 not yet since I replied

yadayada commented 7 years ago

I put up a fixed version of the Appspot app, see http://acd-api-oa.appspot.com/src.

beam commented 7 years ago

So this was oauth problem? What was the problem exactly? Can you give us diff (on gist maybe) between new appspot and old one?

yadayada commented 7 years ago

@beam Yes. See https://github.com/yadayada/acd_api_oauth.

pink-mist commented 7 years ago

Considering the new oauth solution, perhaps this can be closed?