deal with leak of Venmo access/refresh tokens #1

Closed
chadwhitacre opened this Issue Feb 7, 2014 · 25 comments

Comments

Projects
None yet
6 participants
@chadwhitacre
Contributor

chadwhitacre commented Feb 7, 2014

@Changaco asked for a dump of the elsewhere table as part of his work on gratipay/gratipay.com#1369 (IRC). I gave him:

I had decided this was acceptable because the elsewhere table doesn't contain any information that's not publicly accessible via existing APIs (the user_info comes from public APIs on other platforms, and the link between a Gittip account and an account elsewhere is scrapable on public Gittip). Except that it does. In gratipay/gratipay.com#1857, when we added the ability to connect a Venmo account, we added access_token and refresh_token fields to the elsewhere table. These are private tokens that can presumably be used to impersonate a Venmo user, which is a big deal because Venmo is a payments company and impersonating a user would likely mean taking their money.

The gist does not contain any access_tokens or refresh_tokens, because I only included the bitbucket, bountysource, github, and twitter platforms in that gist (I didn't have venmo in mind, clearly), and we don't store oauth tokens for those platforms.

The elsewhere.tbz file contains Venmo tokens for approximately 49 users (depending on the exact state of the database when I did the export; currently there are 49 users with venmo attached).

I've taken down the elsewhere.tbz file. The static.whit537.org web server does not keep access logs, so I don't know how many times elsewhere.tbz was downloaded. It was up from Feb 4 at 12:53pm US/Eastern until today, Feb 7 at 8:45am US/Eastern.

Next steps:

  • Understand the implications of leaking oauth access and refresh tokens.
  • Decide how to repair the damage.
  • Decide what notification of affected users is necessary.
  • Decide what notification to Venmo is necessary.

I believe we should be able to simply revoke at least one of the tokens, and hopefully both.

We have another situation with Venmo where we're using an oauth app registered under my personal Venmo account, and would like to move to an oauth app registered under the Gittip Venmo account. It could make sense to make that switch as part of dealing with this ticket.

@bruceadams

This comment has been minimized.

Show comment
Hide comment
@bruceadams

bruceadams Feb 7, 2014

I think we want to bring Venmo in the loop soon, probably now. Not sure how best to, in fact, do that.

I think we want to bring Venmo in the loop soon, probably now. Not sure how best to, in fact, do that.

@clone1018

This comment has been minimized.

Show comment
Hide comment
@clone1018

clone1018 Feb 7, 2014

@whit537 Did you post the file anywhere on the public internet or just in a query to Chango?

Another question:
Would moving key accounts (from Chad Whitacre to Gittip) reset the users keys? Would the users notice anything?

@whit537 Did you post the file anywhere on the public internet or just in a query to Chango?

Another question:
Would moving key accounts (from Chad Whitacre to Gittip) reset the users keys? Would the users notice anything?

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Feb 7, 2014

Contributor

@clone1018 The file was available on the public Internet. I posted the URL in public, logged IRC (but only there).

Contributor

chadwhitacre commented Feb 7, 2014

@clone1018 The file was available on the public Internet. I posted the URL in public, logged IRC (but only there).

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Feb 7, 2014

Contributor

@bruceadams I think it would make the most sense to start by reaching out to the two Venmo employees that were working with us in the first place. I wish we could give them permissions on this ticket without giving them permission on the repo as a whole. :-/

Not sure how best to do this ...

Contributor

chadwhitacre commented Feb 7, 2014

@bruceadams I think it would make the most sense to start by reaching out to the two Venmo employees that were working with us in the first place. I wish we could give them permissions on this ticket without giving them permission on the repo as a whole. :-/

Not sure how best to do this ...

@bruceadams

This comment has been minimized.

Show comment
Hide comment
@bruceadams

bruceadams Feb 7, 2014

Well, can we give them access to this repo for now and take it away later?

That doesn't help much for the next incident we might want to bring other people in for, but should work for this one, for the moment.

Well, can we give them access to this repo for now and take it away later?

That doesn't help much for the next incident we might want to bring other people in for, but should work for this one, for the moment.

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Feb 7, 2014

Contributor

This is encouraging:

The idea of refresh tokens is that if an access token is compromised, because it is short-lived, the attacker has a limited window in which to abuse it.

Refresh tokens, if compromised, are useless because the attacker requires the client id and secret in addition to the refresh token in order to gain an access token.

Contributor

chadwhitacre commented Feb 7, 2014

This is encouraging:

The idea of refresh tokens is that if an access token is compromised, because it is short-lived, the attacker has a limited window in which to abuse it.

Refresh tokens, if compromised, are useless because the attacker requires the client id and secret in addition to the refresh token in order to gain an access token.

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Feb 7, 2014

Contributor

I've reported to Venmo (@simon-weber) via IRC private message (not the most secure but I think acceptable in this circumstance).

Contributor

chadwhitacre commented Feb 7, 2014

I've reported to Venmo (@simon-weber) via IRC private message (not the most secure but I think acceptable in this circumstance).

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Feb 7, 2014

Contributor

I've renamed this repo from security to security-00000. Let's try having one private repo per security incident. Unfortunately I had to create a new team to give @simon-weber access here, and the existence of that team is (I believe) public.

Contributor

chadwhitacre commented Feb 7, 2014

I've renamed this repo from security to security-00000. Let's try having one private repo per security incident. Unfortunately I had to create a new team to give @simon-weber access here, and the existence of that team is (I believe) public.

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Feb 7, 2014

Contributor

From @simon-weber in private IRC:

ok. so we just need affected folks to revoke and make sure there aren't any transactions they don't recognize, right?

Contributor

chadwhitacre commented Feb 7, 2014

From @simon-weber in private IRC:

ok. so we just need affected folks to revoke and make sure there aren't any transactions they don't recognize, right?

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Feb 7, 2014

Contributor

There are 41 affected accounts.

Contributor

chadwhitacre commented Feb 7, 2014

There are 41 affected accounts.

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Feb 7, 2014

Contributor

Notifying users is a challenge, because we don't have email addresses, at least on the Gittip side (gratipay/gratipay.com#89).

Contributor

chadwhitacre commented Feb 7, 2014

Notifying users is a challenge, because we don't have email addresses, at least on the Gittip side (gratipay/gratipay.com#89).

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Feb 7, 2014

Contributor

@simon-weber We also need to switch from using an oauth application registered with my personal Venmo account, to using one registered with Gittip's Venmo business account. Would destroying the current oauth application effectively revoke the user's refresh tokens?

Contributor

chadwhitacre commented Feb 7, 2014

@simon-weber We also need to switch from using an oauth application registered with my personal Venmo account, to using one registered with Gittip's Venmo business account. Would destroying the current oauth application effectively revoke the user's refresh tokens?

@simon-weber

This comment has been minimized.

Show comment
Hide comment
@simon-weber

simon-weber Feb 7, 2014

We revoked each individual token on our end.

We're going to check to see if there were payments made on those accounts since the leak.

We revoked each individual token on our end.

We're going to check to see if there were payments made on those accounts since the leak.

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Feb 7, 2014

Contributor

!m @simon-weber. Thank you.

I've emailed support@venmo.com about a problem I'm having creating a new oauth application using the Gittip business account. I get the following when I click "new" next to Your Applications (0):

screen shot 2014-02-07 at 2 12 38 pm

Contributor

chadwhitacre commented Feb 7, 2014

!m @simon-weber. Thank you.

I've emailed support@venmo.com about a problem I'm having creating a new oauth application using the Gittip business account. I get the following when I click "new" next to Your Applications (0):

screen shot 2014-02-07 at 2 12 38 pm

@simon-weber

This comment has been minimized.

Show comment
Hide comment
@simon-weber

simon-weber Feb 7, 2014

We should be good to go: there were no payments made through the gittip consumer since the leak (or ever actually, which is probably to be expected since we never had that functionality hooked that up on gittip.com).

We should be good to go: there were no payments made through the gittip consumer since the leak (or ever actually, which is probably to be expected since we never had that functionality hooked that up on gittip.com).

@simon-weber

This comment has been minimized.

Show comment
Hide comment
@simon-weber

simon-weber Feb 7, 2014

@whit537 re: trouble making the application: I'll see if I can get more details.

@whit537 re: trouble making the application: I'll see if I can get more details.

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Feb 7, 2014

Contributor

Awesome, thanks @simon-weber!

Contributor

chadwhitacre commented Feb 7, 2014

Awesome, thanks @simon-weber!

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Feb 7, 2014

Contributor

@bruceadams @zwn @clone1018 How does Gittip want to go about disclosing this leak? I propose that we write a blog post about it.

One advantage to the "one repo per security incident" model is that we can make the repo public (after reviewing for further sensitive info) once we're ready to disclose the incident.

Contributor

chadwhitacre commented Feb 7, 2014

@bruceadams @zwn @clone1018 How does Gittip want to go about disclosing this leak? I propose that we write a blog post about it.

One advantage to the "one repo per security incident" model is that we can make the repo public (after reviewing for further sensitive info) once we're ready to disclose the incident.

@zwn

This comment has been minimized.

Show comment
Hide comment
@zwn

zwn Feb 7, 2014

I am fine with that.

zwn commented Feb 7, 2014

I am fine with that.

@bruceadams

This comment has been minimized.

Show comment
Hide comment
@bruceadams

bruceadams Feb 7, 2014

A blog post sounds good. (I'm not offering to write it.) Making this issue public is fine as well.

A blog post sounds good. (I'm not offering to write it.) Making this issue public is fine as well.

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Feb 7, 2014

Contributor

Draft:

Forty-one Accounts Involved in Security Leak

On February 4, 2014, we leaked security tokens for the Venmo accounts of 41 Gittip users, which an attacker could have used to steal money. We discovered the leak on February 7, and immediately stopped the leak and notified Venmo. Venmo revoked the affected security tokens, and confirms that no fraudulent transactions were made using these tokens.

No user action is required.

For details, please see the incident repository, which was private while the incident was underway and has been made public with this disclosure.

Sorry. :-(

Contributor

chadwhitacre commented Feb 7, 2014

Draft:

Forty-one Accounts Involved in Security Leak

On February 4, 2014, we leaked security tokens for the Venmo accounts of 41 Gittip users, which an attacker could have used to steal money. We discovered the leak on February 7, and immediately stopped the leak and notified Venmo. Venmo revoked the affected security tokens, and confirms that no fraudulent transactions were made using these tokens.

No user action is required.

For details, please see the incident repository, which was private while the incident was underway and has been made public with this disclosure.

Sorry. :-(

@chadwhitacre

This comment has been minimized.

Show comment
Hide comment
@chadwhitacre

chadwhitacre Feb 7, 2014

Contributor

I've made this repo public. Let's finalize the blog post and publish.

Contributor

chadwhitacre commented Feb 7, 2014

I've made this repo public. Let's finalize the blog post and publish.

@chadwhitacre chadwhitacre referenced this issue in gratipay/gratipay.com Feb 7, 2014

Closed

switch to using Gittip's Venmo app #1995

@chadwhitacre chadwhitacre referenced this issue in gratipay/gratipay.com Feb 7, 2014

Closed

configure read-only role for db #1996

@balupton

This comment has been minimized.

Show comment
Hide comment
@balupton

balupton Feb 8, 2014

There are 41 affected accounts.

What does that actually mean? Was there only 41 accounts with Venmo linked to Gittip? What makes these 41 accounts special?

No user action is required.

At the very least, Gittip should notify those affected.

balupton commented Feb 8, 2014

There are 41 affected accounts.

What does that actually mean? Was there only 41 accounts with Venmo linked to Gittip? What makes these 41 accounts special?

No user action is required.

At the very least, Gittip should notify those affected.

@zwn

This comment has been minimized.

Show comment
Hide comment
@zwn

zwn Feb 8, 2014

That is the number of connected Venmo accounts. Gittip has now way of notifying its users 😟 besides the blog post.

zwn commented Feb 8, 2014

That is the number of connected Venmo accounts. Gittip has now way of notifying its users 😟 besides the blog post.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment