You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@wookie.apache.org by "Matthias Niederhausen (JIRA)" <ji...@apache.org> on 2012/10/08 10:54:02 UTC
[jira] [Created] (WOOKIE-384) persist parameter of oAuth feature
not user-isolated
Matthias Niederhausen created WOOKIE-384:
--------------------------------------------
Summary: persist parameter of oAuth feature not user-isolated
Key: WOOKIE-384
URL: https://issues.apache.org/jira/browse/WOOKIE-384
Project: Wookie
Issue Type: Bug
Components: Feature Management
Affects Versions: 0.14.0
Environment: Windows 7, Chrome
Reporter: Matthias Niederhausen
When I use the "persist" parameter of the oAuth feature (which is the default), every other user will automatically use my token after I have approved access.
This results in a severe security issue, e.g., my google contact list being shown to someone else.
Using "false" for the parameter value, I have to re-authenticate every try (which is okay).
The behaviour for "true" should instead be to cache the token for every individual user (i.e., widget instance).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WOOKIE-384) persist parameter of oAuth feature
not user-isolated
Posted by "Scott Wilson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WOOKIE-384?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Scott Wilson updated WOOKIE-384:
--------------------------------
Affects Version/s: (was: 0.14.0)
Fix Version/s: 0.13.0
Marking as fixed in 0.13.0 release
> persist parameter of oAuth feature not user-isolated
> ----------------------------------------------------
>
> Key: WOOKIE-384
> URL: https://issues.apache.org/jira/browse/WOOKIE-384
> Project: Wookie
> Issue Type: Bug
> Components: Feature Management
> Environment: Windows 7, Chrome
> Reporter: Matthias Niederhausen
> Fix For: 0.13.0
>
> Original Estimate: 3h
> Remaining Estimate: 3h
>
> When I use the "persist" parameter of the oAuth feature (which is the default), every other user will automatically use my token after I have approved access.
> This results in a severe security issue, e.g., my google contact list being shown to someone else.
> Using "false" for the parameter value, I have to re-authenticate every try (which is okay).
> The behaviour for "true" should instead be to cache the token for every individual user (i.e., widget instance).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WOOKIE-384) persist parameter of oAuth feature
not user-isolated
Posted by "Hoang Minh Tien (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WOOKIE-384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13471462#comment-13471462 ]
Hoang Minh Tien commented on WOOKIE-384:
----------------------------------------
Thanks Matthias but I'm not sure if it is a bug.
If you set persist option on, the token is dedicated to a single widget instance not shared to all widget instances. If you put this widget instance on any page (using embedded code function), it can query the token and display information associated to this token.
So if the information is private, and the page containing widget instance if public, it is not suitable to set persist on.
> persist parameter of oAuth feature not user-isolated
> ----------------------------------------------------
>
> Key: WOOKIE-384
> URL: https://issues.apache.org/jira/browse/WOOKIE-384
> Project: Wookie
> Issue Type: Bug
> Components: Feature Management
> Affects Versions: 0.14.0
> Environment: Windows 7, Chrome
> Reporter: Matthias Niederhausen
> Original Estimate: 3h
> Remaining Estimate: 3h
>
> When I use the "persist" parameter of the oAuth feature (which is the default), every other user will automatically use my token after I have approved access.
> This results in a severe security issue, e.g., my google contact list being shown to someone else.
> Using "false" for the parameter value, I have to re-authenticate every try (which is okay).
> The behaviour for "true" should instead be to cache the token for every individual user (i.e., widget instance).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WOOKIE-384) persist parameter of oAuth feature
not user-isolated
Posted by "Matthias Niederhausen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WOOKIE-384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13471467#comment-13471467 ]
Matthias Niederhausen commented on WOOKIE-384:
----------------------------------------------
Hm, what I did do was to open the Wookie demo page in different browsers. Even the two demo pages shown when I select a widget there are different instances, from my understanding. After I did then grant access to one of the widgets, the other did no longer need permission and received the token of the first widget.
> persist parameter of oAuth feature not user-isolated
> ----------------------------------------------------
>
> Key: WOOKIE-384
> URL: https://issues.apache.org/jira/browse/WOOKIE-384
> Project: Wookie
> Issue Type: Bug
> Components: Feature Management
> Affects Versions: 0.14.0
> Environment: Windows 7, Chrome
> Reporter: Matthias Niederhausen
> Original Estimate: 3h
> Remaining Estimate: 3h
>
> When I use the "persist" parameter of the oAuth feature (which is the default), every other user will automatically use my token after I have approved access.
> This results in a severe security issue, e.g., my google contact list being shown to someone else.
> Using "false" for the parameter value, I have to re-authenticate every try (which is okay).
> The behaviour for "true" should instead be to cache the token for every individual user (i.e., widget instance).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WOOKIE-384) persist parameter of oAuth feature
not user-isolated
Posted by "Hoang Minh Tien (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WOOKIE-384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13471482#comment-13471482 ]
Hoang Minh Tien commented on WOOKIE-384:
----------------------------------------
Yes, that's the case private widget instance but public page.
It is the same with other widget like natter,todo, simplechat... everyone goes to the page can be Bob or Alice to widgets.
> persist parameter of oAuth feature not user-isolated
> ----------------------------------------------------
>
> Key: WOOKIE-384
> URL: https://issues.apache.org/jira/browse/WOOKIE-384
> Project: Wookie
> Issue Type: Bug
> Components: Feature Management
> Affects Versions: 0.14.0
> Environment: Windows 7, Chrome
> Reporter: Matthias Niederhausen
> Original Estimate: 3h
> Remaining Estimate: 3h
>
> When I use the "persist" parameter of the oAuth feature (which is the default), every other user will automatically use my token after I have approved access.
> This results in a severe security issue, e.g., my google contact list being shown to someone else.
> Using "false" for the parameter value, I have to re-authenticate every try (which is okay).
> The behaviour for "true" should instead be to cache the token for every individual user (i.e., widget instance).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira