These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Technology Lab

 
  • Topic is locked indefinitely.
 

CREST server doesn't validate Authorization header

First post
Author
Previous Topic Next Topic
Pete Butcher
The Scope
Gallente Federation
#1 - 2015-02-13 14:40:34 UTC
Turns out, since CREST became public, I was sending a wrong Authorization header to /oauth/token due to a bug in my code. And guess what? For those 2 months everything worked fine. I don't know why the server let me in every single time, but this implies CREST might have some security issues inside.

http://evernus.com - the ultimate multiplatform EVE trade tool + nullsec Alliance Market tool
Pete Butcher
The Scope
Gallente Federation
#2 - 2015-02-14 10:15:22 UTC
The lack of any response from CCP to this is quite.. interesting. Well I did some experiments and actually managed to crash(?) the /oauth/token endpoint ("Internal server error. Error ref: 838725f6-2778-4e99-a9c6-9ad96f899fdf"). Let me repeat what's going on here:

You have a broken authorization validation, which possibly can be exploited (or at least made to crash).

http://evernus.com - the ultimate multiplatform EVE trade tool + nullsec Alliance Market tool
Pete Butcher
The Scope
Gallente Federation
#3 - 2015-02-14 10:53:28 UTC
And I just managed to authorize myself using forged base64 authorization data. Poor show CCPSad

http://evernus.com - the ultimate multiplatform EVE trade tool + nullsec Alliance Market tool
Kali Izia
GoomWaffe
#4 - 2015-02-14 11:08:04 UTC
If you think there's a security issue with SSO, e-mail security@ccpgames.com.

Or you know, at least give someone more than 20 hours on a weekend to respond.
Pete Butcher
The Scope
Gallente Federation
#5 - 2015-02-14 11:11:18 UTC
Kali Izia wrote:
If you think there's a security issue with SSO, e-mail security@ccpgames.com.

Or you know, at least give someone more than 20 hours on a weekend to respond.


I think I'll compile a list of problems I found and mail them. If some app was actually authorizing itself as another, things would be pretty bad.

http://evernus.com - the ultimate multiplatform EVE trade tool + nullsec Alliance Market tool
CCP FoxFour
C C P
C C P Alliance
#6 - 2015-02-14 11:12:39 UTC
As was pointed out, security@ccpgames.com would be the place to go with this. Sorry for the late response, you posted late on a Friday when most of us were heading home for the day.

@CCP_FoxFour // Technical Designer // Team Tech Co

Third-party developer? Check out the official developers site for dev blogs, resources, and more.
Pete Butcher
The Scope
Gallente Federation
#7 - 2015-02-14 11:21:19 UTC
CCP FoxFour wrote:
As was pointed out, security@ccpgames.com would be the place to go with this. Sorry for the late response, you posted late on a Friday when most of us were heading home for the day.


Will do. Right now you can basically authorize as any app you want.

http://evernus.com - the ultimate multiplatform EVE trade tool + nullsec Alliance Market tool