Uploaded image for project: 'Shindig'
  1. Shindig
  2. SHINDIG-1505

PHP: Possible OAuth Access Token Leak when using the built in OAuthFetcher to issue OAuth secured proxied requests

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.0.3
    • Component/s: PHP
    • Labels:
      None

      Description

      In OAuthFetcher the storage key to save an access token that has been fetched for an proxied requests that is secured through OAuth includes the current owner id. This means that this access token will be accessable for all viewers visiting the gadget instance of this owner and could possible use this access token to make operations at the target API in behalf of the owner.

      To prevent it the storage key should include the viewer id instead.

        Attachments

          Activity

            People

            • Assignee:
              bhofmann Bastian Hofmann
              Reporter:
              bhofmann Bastian Hofmann
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: