Not my file

[thibrex]

Hi,
My acd_cli has got a recent database corruption in node.db. I removed it and I executed "acd_cli sync".
But since that moment, I have the files of another person and I can download and see his files, upload and remove files! (Obviously I will not touch his files).
Is there not a problem in acd_cli ?
EDIT: I specify that even I remove the node.db, when I sync I have again the same cloud of this person
Thanks!

[yadayada]

Please contact (preferably phone) the Amazon support immediately.

[thibrex]

Ok I will call Amazon tomorrow concerning that. It's strange...

[thibrex]

Hi,
I called Amazon and they have understood nothing or they do not care, "it's not their stuff because it's not their software"...

[davidjameshowell]

I would assume that would be some type of Amazon Drive issue and not related to ACD_CLI due to the nature of how it is making federated requests with specific user data.

It may behoove you to get debug logs for listings and uploading files to that account to see the auth that is being generated for those requests. Definitely sounds suspicious though.

[thibrex]

I will send a mail with evidence to Amazon. I don't know really how works acd_cli but I think it's my API Key which have moved of owner maybe ?

[thenoahcomputer]

I suspect you got someone else's auth token somehow, but that should never ever happen or even be possible. I would make a backup of your current oauth_data file (maybe that whole acd_cli cache folder it lives in), move it somewhere else, then re-authorize acd_cli. If you still see other people's files, I would raise holy hell with Amazon until they get the message that their authentication system is compromised. If you see someone else's files, it's entirely possible they can see yours.

Don't expect much though even if you start seeing your own data again. Amazon Drive has been very flaky since yesterday.

[Axadiw]

couple days ago I've got the same behaviour using acd_cli

[Saren-Arterius]

Hi. I suddenly have access to other's files after I deleted the corrupted DB and sync. What the actual fuck??????????

[Saren-Arterius]

[Saren-Arterius]

I have contacted aws-security@amazon.com and security@amazon.com

[madyoda]

Ouch. This could be pretty bad. Did you notice any reproducability steps?

[Saren-Arterius]

@madyoda Nope. It happens very randomly. First your DB somehow gets corrupted. Delete it, acdcli sync, then tada.

[madyoda]

@Saren-Arterius does the amazon web interface show your files?

[Saren-Arterius]

@madyoda The web interface is fine. Maybe acd_cli triggered this server side problem.

[thibrex]

I had exactly the same issue, with the same step to do the bug.

[madyoda]

@Saren-Arterius interesting - seems like it's some token thing. Keep us updated re: amazon email(s) 👍

[thenoahcomputer]

This is most likely a problem with authentication on Amazon's end. Could be really bad if someone, for example, has an automated script backing up their system to a folder called "backup" and it deletes/replaces someone else's backup folder unnoticed after this glitch occurs.

Perhaps it's worth adding a basic sanity check to prevent since it's happened to more than just a couple people? Maybe have acd_cli write a uuid to a file on acd_cli or otherwise fingerprint the account to ensure it is using the same account as the last time when it syncs nodes and throw a warning if there is a mismatch?

[skirsten]

So this is my take on this: The corrupted db is not the cause of this problem but rather a side effect.
I guess that during some regular request (upload, download, file list, etc.) the OAuth token got renewed but what amazon or the appspot authenticator returned was the renewed OAuth of somebody else.

I took a look at the authenticator implementation and it seems pretty solid, so maybe amazon screwed something up on their end.

I'm currently running a get usage information, renew token, check if usage changed loop to reproduce this error but with no success at this time.

[M0V3]

Seems to me like this has something to do with the Rate Exceeded Error. Reports of both errors seem to come up at the same time.

[nbyloff]

When I look at the oauth code in acdcli, it uses an AppSpotAuthenticator. Why? Can't authentication be done using a more common OAuth setup?

[skirsten]

@nbyloff Authorization using the Google App Engine (AppSpot) "proxy" is used for simplicity. You can setup a local OAuth callback and use that, see Authorization.

[PlasmaPower]

Has anyone attempted to contact the user whose files they received and find out if they use acd_cli?

[Saren-Arterius]

Their security team replied. I hope this issue can be fixed sooner...

[davidjameshowell]

So it was deemed to be an issue on Amazon's authentication side? An actual issue?

…

On May 13, 2017 8:29 PM, "Saren Arterius" ***@***.***> wrote: Their security team replied. I hope this issue can be fixed sooner... — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#549 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/APt9cR4CgaUgK6-CP29siVULfV8EYXIKks5r5nUKgaJpZM4M-emH> .

[Saren-Arterius]

@davidjameshowell They did not confirm, but I guess it should be...

[madyoda]

@Saren-Arterius any idea what they said? If you visit https://tensile-runway-92512.appspot.com/ now, it says unknown client_id. Almost seems like acd_cli got revoked from Amazon.

[SchnorcherSepp]

I learned from Amazon: just wait and see
Give the security team some time....

[Saren-Arterius]

@madyoda

To help us have a full understanding of your report (HGXXXXXXXXX), can you please let us know when exactly did you start experiencing this issue?

Could you please also tell us how you initially authenticated to Amazon Cloud Drive using acd_cdi? I can see different methods described on https://acd-cli.readthedocs.io/en/latest/authorization.html.

Seeing acd_cli no longer works possibly because of this, I somehow feel guilty lol.

[madyoda]

@Saren-Arterius I wouldn't feel guilty - you potentially stopped a big issue i.e. people accessing each others accounts. I'd mention you used tensile-runway-92512.appspot.com and that's hosted on the Google App Engine.
(I also don't know if it's public info but you may want to remove the report ID in the brackets (HG....))

[Saren-Arterius]

@madyoda Thanks for reminding that, the ID is removed.

[nob0dy80]

shame on you @Saren-Arterius ... since acdcli is down and i cant access my encrypted media files i feel kind of prehistoric :-)
If acdcli wont come back i would be kind of lost since i dont know a other way to mount the drive into a folder on linux :-/

[madyoda]

@nob0dy80 take a look at rclone, specifically this

[Saren-Arterius]

@nob0dy80 rofl didn't expect that

[nob0dy80]

@Saren-Arterius everythine fine... security first. not your fault at all .. but i hope it will come back, worked great for me.

@madyoda ...oh ..didnt know there is a mount option on rclone. But don't like the word "experimental" when playing arround with my media. But i'll give it a try. Hope the performance is compareable to acdcli.

[JulianMiribel]

Same issue here.

Tried to setup an amazon profile but it seems amazon won't allow API access anymore so I'm stuck.

@Saren-Arterius no worries, I'm more than pleased to know a security hole might be fixed.

[nob0dy80]

@madyoda thanks again for the hint. testet it now. what can i say. the bufferunderruns with large video files i had with acdcli are gone and the mounting process is arround 300% faster (cause i dont need to resync my database to see new files in my encrypted mount).
since i used acdcli only for the mount, i dont see a reason to use it any longer if rclone handles it so well.
Lets see how it works in a longer time period....

[madyoda]

@nob0dy80 yep I am a big fan of rclone 👍 an idea: when (if 😢) acd_cli comes back, setup a unionfs mount with both the rclone mount plus acd_cli mount for extra redundancy if something like this happens again. It's what I'm going to be doing myself, as well as mirroring my stuff over to Google Drive too and setting up a third "redundant" place.

[madyoda]

On another note...

[Giantdouche33]

any word from Amazon on this issue?

[madyoda]

@Giantdouche33 @Saren-Arterius would be the one to ask, though it's a Sunday so I wouldn't expect much until tomorrow.

[Saren-Arterius]

@Giantdouche33 not yet since I replied

[yadayada]

I put up a fixed version of the Appspot app, see http://acd-api-oa.appspot.com/src.