Group tokens are not verified against the current connection ID on reconnect #1506

Closed
DamianEdwards opened this Issue Feb 8, 2013 · 1 comment

Comments

Projects
None yet
3 participants
Owner

DamianEdwards commented Feb 8, 2013

Group tokens currently are only verified for integrity using the signature. However, they are not verified for validity against the connection ID being passed up. This means a group token from one connection could be reused with another connection, allowing conspiring attackers to join connections to groups they were never actually added to.

The official guidance is that applications that use groups for security purposes should validate group membership on reconnect via the OnRejoingingGroups virtual method, the framework could take a defense in depth measure here and include the connection ID in the groups token when generating it and then verifying it on reconnect to ensure the group token was actually issued to the connection ID doing the reconnect.

@ghost ghost assigned davidfowl Feb 22, 2013

davidfowl added a commit that referenced this issue Mar 18, 2013

Ensure that group tokens are unique per connection id.
- Added the connection id to the groups token.
- Verify that it's the same connection id when validating groups.
- Added test to verify that you can't listen to messages if you have
  the groups token alone.

#1506

davidfowl added a commit that referenced this issue Mar 18, 2013

Ensure that group tokens are unique per connection id.
- Added the connection id to the groups token.
- Verify that it's the same connection id when validating groups.
- Added test to verify that you can't listen to messages if you have
  the groups token alone.

#1506

@ghost ghost assigned Xiaohongt Mar 20, 2013

Contributor

Xiaohongt commented Mar 21, 2013

verified

@Xiaohongt Xiaohongt closed this Mar 21, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment