Better security #3093

prdatur · 2023-02-21T01:14:52Z

I checked the obs browser pages (alerts and polls) and saw that the authToken for the websocket is stored within a js file globally readable.

The authToken should be generated (or stored in botconfig) onetime which is then appended to the browser source url as a GET-Parameter.
It could also be a button to generate / regenerate the authToken within the panel.

Yes, the authToken is then present within the Link, but as a streamer the browser source url is not shown.
Currently, any user who knows a phantombot url can just connect to the websocket and send commands without authentication.

prdatur · 2023-03-02T09:18:18Z

I do not really understand why the given changes makes the socket read only, but also if i assume it is now read only, read only means that any user could ready things he should not be able to.
For me this Issue is not closed, the auth key is still not present in the browser url, instead it is directly injected for everyone who knows the url.

gmt2001 self-assigned this Feb 21, 2023

gmt2001 added the bug label Feb 21, 2023

gmt2001 added this to Needs triage in Bug Triage via automation Feb 21, 2023

gmt2001 added this to the 3.7.0 milestone Feb 21, 2023

gmt2001 moved this from Needs triage to High priority in Bug Triage Feb 21, 2023

gmt2001 closed this as completed in e4e2305 Feb 27, 2023

Bug Triage automation moved this from High priority to Closed Feb 27, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Better security #3093

Better security #3093

prdatur commented Feb 21, 2023

prdatur commented Mar 2, 2023

Better security #3093

Better security #3093

Comments

prdatur commented Feb 21, 2023

prdatur commented Mar 2, 2023