Earlier today I realised that our secret_token.rb of openSNP is publicly available on GitHub - which is a bad thing, because our server signs all cookies with that thing!
Any old attacker can take the secret token and re-generate valid cookies for your applications. The user-id is digested with the secret token and then stored in the cookie, and because the user doesn’t know the secret token, he/she cannot change his/her user-id. If the attacker knows the secret token, it’s relatively easy to regenerate a valid cookie to log in as the admin (or check out what other users have inside their account…)
It seems this is not public knowledge - if you google for “secret_token.rb” you can find quite a few projects on GitHub and elsewhere which store their secret key in the open, I just hope that’s not the actual secret on the server.
How to fix it: Create a new token using “rake secret” (I had to install the vegas-gem for that - alternatively you can make up your own long random string), put it in it’s own file, have that file in the .gitignore and link to it inside your secret_token.rb: like this for example, then restart your server (this will invalidate your old sessions, users will have to log in again). I don’t think this works when you deploy to Heroku, here’s a solution for that.
Takes 5 minutes and makes your application much more secure!
- sheerhippo likes this
- alleviatehemorrhoids reblogged this from biggestfool
- alleviatehemorrhoids likes this
- razaulkarim1 reblogged this from biggestfool and added:
- razaulkarim1 likes this
- come-fare-soldii likes this
- hlewisallways likes this
- techphilosophy likes this
- biggestfool posted this