Jan 1, 17 / Aqu 01, 01 23:23 UTC

[BUG] Security issue on identities  

Hello, Asgardian folks.

Forum user ID is the same as citizen number ID, which kinda makes sense. Yesterday, I coded a little script to get profile info, only name. I got about first 1,000 user number and name, in a tiny database. Probably the first 1,000 are people with some kind of proximity or relation to the founder.

Plausible examples (found on list): - Prof. Welch - Mr. Revell - Mr. Mosher ..

I emphasise that Igor Ashurbeyli doesn't seem to be on the list (I retrieved a little less than 1k entries)

What I want to say is that probably using a number and allowing to get some information, even if they never posted on a forum, is kinda risky, isn't it?

I remember, about 10 years ago you could get some information on a user by typing user's land line number through some websites, so you could create your own database. It is now ilegal in my, first, country. I just want to let you know about the possibilities and potential of getting the whole database matching "user name/login" and ID.

Perhaps you consider this a mistake and I'm being a little bit excesively careful. Of course my sole intention is to tell about this possible issue. Hope to hear from you, folks.

Jan 1, 17 / Aqu 01, 01 23:34 UTC

Thank you, the IT team is already aware of this problem, which is a priority, and security will be strengthened as soon as possible

Jan 3, 17 / Aqu 03, 01 00:18 UTC

Good catch @drober.

I guess one simple solution would be not to use the internal DB id in the url, a uuid would do the trick. Each user would be assigned a uuid and therefore be indexed using this uuid, which is random and 32 digits longs so that people cannot scrap data by simply applying a pattern and +1 for each different user.

Jan 4, 17 / Aqu 04, 01 21:38 UTC

The links in the mail for the 2nd stage verification are not expired no matter how long someone has to make the confirmation and if you use them you don't have to put the password in the web site to access and complete the infos that they must import

Jan 19, 17 / Aqu 19, 01 21:11 UTC

Hello again, mates!

Sorry, I was expecting that to be subscribed to this forum's thread automatically when I posted it. Didn't get any email alert, ha! :) I think that using, as @Vadorequest proposes, an UUID for each user and a concordance table would be definitely much better than using the "National Identification Number", even if it's ugly and not SEO at all. Yet, I'm not a developer but an analyst/sysadmin (hobby) and a researcher (as my job).

To be honest I just came to this thread back to offer my help. I'm a GNU/Linux enthusiast and also a TI professional for many years.

Jan 21, 17 / Aqu 21, 01 04:45 UTC

Such a bizarre security bug... Why not close this forum until it get patched up?

Jan 23, 17 / Aqu 23, 01 22:45 UTC

@idontneedanything, because no software is perfect, and waiting to have the perfect software to release it is the worse possible choice, because it will never get perfect, and may not go in the initially intented direction.

It is not a major security issue, it's not a good thing for sure. I hope it's addressed quickly too.

Jan 29, 17 / Pis 01, 01 18:50 UTC

It is a major security issue. It's able to be abused to retrieve any DB contents, effectively. Quite why this is even possible in the first place is a mystery. Sequential DB reads would be one of the first things you train IDS to look for. True, perfect software is a rarity but there's a big difference in releasing buggy crap that's basically dangerous to use and going out of your way to install it on hardware to throw a throw a few hundred thousand users at. It would be a better - much better - option to check for this sort of thing first, and install something without such concerns. Someone professional would of.

Closing the forum until it's patched would of been the responsible thing to of done, yes. But they're all about responsible action here - because your security matters, they're going to run with the holes in place nochalantly flaunting their rock solid principle of just hoping nothing bad happens because of it.