Re: Profile merge and security issues

Mon, 01 Feb 2016 06:08:32 -0800 

Let me give permission to you to do it ;)

On 02/01/2016 03:06 PM, Thomas Draier wrote:

Hi,

I created the tickets but cannot assign or change anything on them - who
can edit permissions there ?

thomas


On Mon, Feb 1, 2016 at 2:36 PM Serge Huber <[email protected]> wrote:


Hello Thomas,

I think all your proposition make a lot of sense (of course since we
discussed them first :)). I vote that we first implement a token system and
that we can always improve this further. Ideally we should have one token
per accepted server, not a single one for all external services.

I see you have already created the ticket, I’ll add your proposition down
here to the ticket for more details.

cheers,
   Serge…



On 1 févr. 2016, at 13:26, Thomas Draier <[email protected]> wrote:

Hi there,

I have some security concerns with the merge actions. Currently, anybody
can manually send a login event with some properties, and merge his data
with existing profiles. He can easily corrupt existing profile or get
private data of this user, as the 2 users will be "merged".

First thing is that, in my opinion, login event should only be accepted

by

trusted tiers - we need to be able to authenticate the event sender in

some

way - simple solution would be to use a secret token, but we could
implement more secure things with a certificate. In all cases, we should
not let the client send a login event and trigger as user merge on
untrusted information.

Some properties should not be directly writeable by a user, even on its

own

profile. Changing  the j:nodename property, which is used by the default
login rule (could be any other property), could be a security issue.
Actually, the "merge" action should only be done on trusted properties

that

would be read only, even for their owner. The "systemproperties" map

could

be a good candidate. Currently the profile end point allows to completely
save a profile, this should be a little bit restricted.

I also have another concern about profile merging - if a users logs in

with

2 different profiles (send 2 login events, with different usernames) ,

both

profiles are merged. This can give some very unexpected results if you
share your computer with somebody ... Merging one anonymous profile with

an

identified user make sense, but merging 2 identified profiles look rather
strange. I would rather switch profile in that case.

What do you think ?

Regard

thomas







--
Jean-Baptiste Onofré
[email protected]
http://blog.nanthrax.net
Talend - http://www.talend.com

Reply via email to