Summary
When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue listening to streaming after the application had been destroyed.
Details
Essentially this comes down to the fact that when Doorkeeper sets up the relationship between Applications and Access Tokens, it uses a dependent: delete_all
configuration, which means the after_commit
callback setup on AccessTokenExtension
didn't actually fire, since delete_all
doesn't trigger ActiveRecord callbacks.
To mitigate, we need to add a before_destroy
callback to ApplicationExtension
which announces to streaming that all the Application's Access Tokens are being "killed".
PoC
This vulnerability was only possible to exploit through a user created application on their own account (that's why I noticed it whilst testing the implementation for client credentials for streaming)
Impact
Impact should be negligible given the application had to be owned by the user.
Summary
When an OAuth Application is destroyed, the streaming server wasn't being informed that the Access Tokens had also been destroyed, this could have posed security risks to users by allowing an application to continue listening to streaming after the application had been destroyed.
Details
Essentially this comes down to the fact that when Doorkeeper sets up the relationship between Applications and Access Tokens, it uses a
dependent: delete_all
configuration, which means theafter_commit
callback setup onAccessTokenExtension
didn't actually fire, sincedelete_all
doesn't trigger ActiveRecord callbacks.To mitigate, we need to add a
before_destroy
callback toApplicationExtension
which announces to streaming that all the Application's Access Tokens are being "killed".PoC
This vulnerability was only possible to exploit through a user created application on their own account (that's why I noticed it whilst testing the implementation for client credentials for streaming)
Impact
Impact should be negligible given the application had to be owned by the user.