Not my file #549

Open
thibrex opened this Issue Apr 15, 2017 · 42 comments

Comments

Projects
None yet

thibrex commented Apr 15, 2017 edited

Hi,
My acd_cli has got a recent database corruption in node.db. I removed it and I executed "acd_cli sync".
But since that moment, I have the files of another person and I can download and see his files, upload and remove files! (Obviously I will not touch his files).
Is there not a problem in acd_cli ?
EDIT: I specify that even I remove the node.db, when I sync I have again the same cloud of this person
Thanks!

Owner

yadayada commented Apr 16, 2017

Please contact (preferably phone) the Amazon support immediately.

yadayada added the holy cr*p label Apr 16, 2017

thibrex commented Apr 16, 2017

Ok I will call Amazon tomorrow concerning that. It's strange...

thibrex commented Apr 18, 2017 edited

Hi,
I called Amazon and they have understood nothing or they do not care, "it's not their stuff because it's not their software"...

I would assume that would be some type of Amazon Drive issue and not related to ACD_CLI due to the nature of how it is making federated requests with specific user data.

It may behoove you to get debug logs for listings and uploading files to that account to see the auth that is being generated for those requests. Definitely sounds suspicious though.

thibrex commented Apr 19, 2017

I will send a mail with evidence to Amazon. I don't know really how works acd_cli but I think it's my API Key which have moved of owner maybe ?

I suspect you got someone else's auth token somehow, but that should never ever happen or even be possible. I would make a backup of your current oauth_data file (maybe that whole acd_cli cache folder it lives in), move it somewhere else, then re-authorize acd_cli. If you still see other people's files, I would raise holy hell with Amazon until they get the message that their authentication system is compromised. If you see someone else's files, it's entirely possible they can see yours.

Don't expect much though even if you start seeing your own data again. Amazon Drive has been very flaky since yesterday.

Axadiw commented Apr 21, 2017

couple days ago I've got the same behaviour using acd_cli

Hi. I suddenly have access to other's files after I deleted the corrupted DB and sync. What the actual fuck??????????

madyoda commented May 13, 2017

Ouch. This could be pretty bad. Did you notice any reproducability steps?

Saren-Arterius commented May 13, 2017 edited

@madyoda Nope. It happens very randomly. First your DB somehow gets corrupted. Delete it, acdcli sync, then tada.

madyoda commented May 13, 2017

@Saren-Arterius does the amazon web interface show your files?

@madyoda The web interface is fine. Maybe acd_cli triggered this server side problem.

thibrex commented May 13, 2017

I had exactly the same issue, with the same step to do the bug.

madyoda commented May 13, 2017

@Saren-Arterius interesting - seems like it's some token thing. Keep us updated re: amazon email(s) 👍

This is most likely a problem with authentication on Amazon's end. Could be really bad if someone, for example, has an automated script backing up their system to a folder called "backup" and it deletes/replaces someone else's backup folder unnoticed after this glitch occurs.

Perhaps it's worth adding a basic sanity check to prevent since it's happened to more than just a couple people? Maybe have acd_cli write a uuid to a file on acd_cli or otherwise fingerprint the account to ensure it is using the same account as the last time when it syncs nodes and throw a warning if there is a mismatch?

So this is my take on this: The corrupted db is not the cause of this problem but rather a side effect.
I guess that during some regular request (upload, download, file list, etc.) the OAuth token got renewed but what amazon or the appspot authenticator returned was the renewed OAuth of somebody else.

I took a look at the authenticator implementation and it seems pretty solid, so maybe amazon screwed something up on their end.

I'm currently running a get usage information, renew token, check if usage changed loop to reproduce this error but with no success at this time.

M0V3 commented May 13, 2017

Seems to me like this has something to do with the Rate Exceeded Error. Reports of both errors seem to come up at the same time.

nbyloff commented May 14, 2017

When I look at the oauth code in acdcli, it uses an AppSpotAuthenticator. Why? Can't authentication be done using a more common OAuth setup?

@nbyloff Authorization using the Google App Engine (AppSpot) "proxy" is used for simplicity. You can setup a local OAuth callback and use that, see Authorization.

Has anyone attempted to contact the user whose files they received and find out if they use acd_cli?

Their security team replied. I hope this issue can be fixed sooner...

@davidjameshowell They did not confirm, but I guess it should be...

madyoda commented May 14, 2017

@Saren-Arterius any idea what they said? If you visit https://tensile-runway-92512.appspot.com/ now, it says unknown client_id. Almost seems like acd_cli got revoked from Amazon.

I learned from Amazon: just wait and see
Give the security team some time....

Saren-Arterius commented May 14, 2017 edited

@madyoda

To help us have a full understanding of your report (HGXXXXXXXXX), can you please let us know when exactly did you start experiencing this issue?

Could you please also tell us how you initially authenticated to Amazon Cloud Drive using acd_cdi? I can see different methods described on https://acd-cli.readthedocs.io/en/latest/authorization.html.

Seeing acd_cli no longer works possibly because of this, I somehow feel guilty lol.

madyoda commented May 14, 2017

@Saren-Arterius I wouldn't feel guilty - you potentially stopped a big issue i.e. people accessing each others accounts. I'd mention you used tensile-runway-92512.appspot.com and that's hosted on the Google App Engine.
(I also don't know if it's public info but you may want to remove the report ID in the brackets (HG....))

@madyoda Thanks for reminding that, the ID is removed.

shame on you @Saren-Arterius ... since acdcli is down and i cant access my encrypted media files i feel kind of prehistoric :-)
If acdcli wont come back i would be kind of lost since i dont know a other way to mount the drive into a folder on linux :-/

madyoda commented May 14, 2017

@nob0dy80 take a look at rclone, specifically this

@nob0dy80 rofl didn't expect that

@Saren-Arterius everythine fine... security first. not your fault at all .. but i hope it will come back, worked great for me.

@madyoda ...oh ..didnt know there is a mount option on rclone. But don't like the word "experimental" when playing arround with my media. But i'll give it a try. Hope the performance is compareable to acdcli.

Same issue here.

Tried to setup an amazon profile but it seems amazon won't allow API access anymore so I'm stuck.

@Saren-Arterius no worries, I'm more than pleased to know a security hole might be fixed.

@madyoda thanks again for the hint. testet it now. what can i say. the bufferunderruns with large video files i had with acdcli are gone and the mounting process is arround 300% faster (cause i dont need to resync my database to see new files in my encrypted mount).
since i used acdcli only for the mount, i dont see a reason to use it any longer if rclone handles it so well.
Lets see how it works in a longer time period....

madyoda commented May 14, 2017

@nob0dy80 yep I am a big fan of rclone 👍 an idea: when (if 😢) acd_cli comes back, setup a unionfs mount with both the rclone mount plus acd_cli mount for extra redundancy if something like this happens again. It's what I'm going to be doing myself, as well as mirroring my stuff over to Google Drive too and setting up a third "redundant" place.

madyoda commented May 14, 2017

On another note...
image

any word from Amazon on this issue?

madyoda commented May 14, 2017

@Giantdouche33 @Saren-Arterius would be the one to ask, though it's a Sunday so I wouldn't expect much until tomorrow.

@Giantdouche33 not yet since I replied

Owner

yadayada commented May 25, 2017

I put up a fixed version of the Appspot app, see http://acd-api-oa.appspot.com/src.

yadayada added the oauth label May 25, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment