Non-Profit” project* Somewhat foolishly, I took a request You won’t believe what happened next... *http://haxx.ml/post/137946990286/hacking-open-source-software-for-fun-and
Combinator Open source – MIT License Team and Enterprise editions Built on modern technologies – Golang, React.js, Node.js New release monthly (16th)
you understand? :) Exposed by design Rapidly growing user base Interesting use cases (SaaS?) Open Source Provide info for those considering using it
Backend/API written in Golang – One Linux ELF binary + static resources All business logic in the API MySQL or PostgreSQL database Mobile and desktop apps – Android, iOS, Windows, OS X, Linux
Compiled but “memory safe” – No manual memory management, etc. Runtime built-in Designed with security in mind – Context-based output encoding – Secure standard libraries – No “easy” path to dynamic execution
logical area + endpoint Access model well implemented No injection vulnerabilities (?) Some team-related information leaks Fairly clean with some legacy/redundant functionality
Somewhat configurable – Restrict to specific domains – Require email verification – Limit to SSO service (OAuth/LDAP) Two methods – Direct Invite (email from system) – Team Invite Link (more interesting)
POST to /api/v1/teams/find_teams – Payload: {"email":"[email protected]"} – Returns team data, including Invite ID – Can be called unauthenticated Only pre-req: team member’s email/username
Team Admin – Manage team settings and members System Admin – Manage system settings through System Console Admins are Members too – No access to other users’ private channels, DMs, etc. – Except in this one particular case…
{"link":"/api/v1/files/get_export"} GET /api/v1/files/get_export – Returns ZIP file with exported data for ALL teams – Chat messages, team invite IDs, etc. Can be triggered by any Team Admin – Local and cross-team information leak
officially recommended Passwords stored as bcrypt hashes Chat messages stored in clear text Shared files stored as-is on file system Crypto used in “interesting” ways…
http://192.168.1.54:8065/suchteam/reset_password? d={"time":"1462383751298","user_id":"55u99xsze7fc9y gs7d9zgqwhjh"}&h=$2a$10$L9yhcWMoS4qY.wSxJx/i JO77xZcGiFP.XDkwZEyJrH7M7eUkqx.am The value of d is known/predictable bcrypt hash (h) is generated by: – bcrypt(value_of_d + “:” + password_reset_salt) Hmmm… But why?
stored – Any bcrypt hash will be accepted as long as it matches d + password reset salt – Cost factor can be reduced to 4! The “time” value of d can be set arbitrarily Knowing the password reset salt => reset any user’s password
type restrictions – Preview functionality for common file types Stored as-is under folder path based on: – Channel ID – Uploading user’s ID – Random string Access to files is well protected
s37zh35fmc/r5kcfatee7d6zfnjjiss9xwn1c/geb8dieqhib43 g3u9bedqiqn1o/hello.html? session_token_index=0&download=1 Downloads the file as an attachment – Content-Disposition: attachment;filename="hello.html” What happens if the value of download is 0? – Or just remove the query string – HTML executes!
Node.js – Engine for running JavaScript on the server – Not the same restrictions as in a browser Mostly just emulates a browser – Uses cookies – Local config, HTML, and JS files Not much to see here… Or?
of crypto – New, cleaner API version – Better team separation – No sensitive data in System Console Root cause analysis over single fixes Potential improvements – Optional database encryption – Team separation on database level