You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An obtained OTA token is not scope checked for it intended purpose and can be used to authenticate every subsequent API request.
This issue has only a low severance, because OTA tokens do not contain user state information, so endpoints which require user state will fail anyway (as shown below). Though, OTA tokens should be purpose-scoped so that they can not be possibly exploited for other purposes.
Steps to Reproduce
Obtain an OTA token, for example by using the following API endpoint.
POST /api/v1/guilds/{id}/backups/{backupid}/download
Use the token via the ota_token query parameter for any other auth required API endpoint.
The following script demonstrates the behavior described above.
Description
An obtained OTA token is not scope checked for it intended purpose and can be used to authenticate every subsequent API request.
This issue has only a low severance, because OTA tokens do not contain user state information, so endpoints which require user state will fail anyway (as shown below). Though, OTA tokens should be purpose-scoped so that they can not be possibly exploited for other purposes.
Steps to Reproduce
ota_token
query parameter for any other auth required API endpoint.The following script demonstrates the behavior described above.
The text was updated successfully, but these errors were encountered: