Jump to content

What data GateHub stores in its logs?


T8493
 Share

Recommended Posts

Questions for GateHub because logging is explicitly mentioned on their Privacy policy page:

Which requests are logged? Do you log API calls, too?

Do you log complete URLs of HTTP requests? It looks like you also log some headers (Referer and browser), too. Do you log just headers which are explicitly mentioned on the Privacy policy or do you log all headers?

Do you log content (JSON) of the API calls?

 

Edited by T8493
Link to comment
Share on other sites

When user changes his password, his old password is sent in plaintext as part of the URL in one of the requests. URL is:

https://api.gatehub.net/auth/v1/users/{user_id}?password={password}

The password is plaintext password. It is not encrypted or hashed. Logging always logs the complete URL (in my experience, see also CloudFlare logs below) and this means that plaintext password could be stored somewhere in their logs.

I don't know why this password is not included as part of the JSON payload. Something looks slightly weird to me because they already use "Authentication: Bearer XXXXXX" HTTP header which (somewhat) duplicates the functionality of the old password.

The other password is included in plaintext as part of the JSON payload.

According to GateHub Privacy Policy GateHub automatically collects information such as:

Quote

Log Information: We collect log files that contain the type of browser you use, access times, pages viewed, your IP address and the page you visited before navigating to our websites.

"Pages viewed" implies they store URLs. Otherwise they don't know which pages you viewed.

They probably also log API/XMLHttpRequests requests because wallet is a single page application and majority (99%) of the (interesting) requests are API/XMLHttpRequests.

 

Can @gatehub provide a verifiable proof that they don't store plaintext passwords in their log files?

 

Another related question for @gatehub: Is this password stored in plaintext in CloudFlare logs (which can be downloaded by GateHub)? It looks like it probably is:

https://support.cloudflare.com/hc/en-us/article_attachments/205413947/els_schema.json

("uri" property).

 

 

 

Edited by T8493
Link to comment
Share on other sites

Quote

 

Can @gatehub provide a verifiable proof that they don't store plaintext passwords in their log files?

 

 

 

What kind of proof do you have in mind?

CloudFlare does not store any logs from GateHub. CloudFlare only stores some logs for their large customers. GateHub does not have an Enterprise account (Enterprise plans start at $5,000 per month).  https://blog.cloudflare.com/what-cloudflare-logs/

Best regards,

Luka (GH Security advisor)

Edited by gatehub
Link to comment
Share on other sites

16 minutes ago, gatehub said:

What kind of proof do you have in mind?

CloudFlare does not store any logs from GateHub. CloudFlare only stores some logs for their large customers. GateHub does not have an Enterprise account (Enterprise plans start at $5,000 per month).  https://blog.cloudflare.com/what-cloudflare-logs/

Best regards,

Luka (GH Security advisor)

Who cares about Enterprise plans. You might upgrade to enterprise plan next year, switch provider, CloudFlare may change its services tomorrow and offer you free logs. I bet they store logs ANYWAY now, just not let you access them. Logging costs nothing.

passwords do NOT belong in URL, period. fix it, or refute the claim.

Link to comment
Share on other sites

14 hours ago, gatehub said:

CloudFlare does not store any logs from GateHub. CloudFlare only stores some logs for their large customers. GateHub does not have an Enterprise account (Enterprise plans start at $5,000 per month).  https://blog.cloudflare.com/what-cloudflare-logs/

How do you know they don't store any logs from GateHub? How can they provide analytics if they don't store logs?

I think you're confusing two things. One thing is their REST API and the ability to download logs in JSON format (this is only available to Enterprise customers). However, they can still store logs and make them available via other means (maybe in somewhat aggregated form). There are some tools that can access per URL statistics: https://www.cloudflare.com/apps/clicky/

BTW, I'm not too familiar with CloudFlare.

Quote from https://blog.cloudflare.com/what-cloudflare-logs/

Quote

Access logs for most customers are stored briefly at the edge of our network and then deleted within 4 hours.

 

Edited by T8493
Link to comment
Share on other sites

The password reset link was a mistake we have made and I have already talked to the developer in order to fix it. We have not logged those parameters anywhere however cloudflare might have done it and also your browser history has it. I encourage everyone that have done a password reset to clear their browser history. 

18 hours ago, lucky said:

Who cares about Enterprise plans. You might upgrade to enterprise plan next year, switch provider, CloudFlare may change its services tomorrow and offer you free logs. I bet they store logs ANYWAY now, just not let you access them. Logging costs nothing.

passwords do NOT belong in URL, period. fix it, or refute the claim.

This is true and we are working on it fix this mistake. It will be deployed in the following days.

16 hours ago, winthan said:

That is dead serious!  And they are storing all critical data in Session Storage. WTH!!!  

About the session storage please do not share miss information here since I have answered you on the other thread where you have started session storage issue and I have explained you why it is not as critical as you might think. Thread: 

 

Edited by Guest
Link to comment
Share on other sites

2 hours ago, gregor said:

The password reset link was a mistake we have made and I have already talked to the developer in order to fix it. We have not logged those parameters anywhere however cloudflare might have done it and also your browser history has it. I encourage everyone that have done a password reset to clear their browser history. 

Browser history? Browser history never contains HTTPXmlRequest calls AFAIK. 

However, browser cache may store this password. Especially because server HTTP response doesn't indicate that browser shouldn't cache this result (server response even uses Etag header which implies caching). If browser decides to cache this response, then the cache entry will also contain URL with plaintext password.

EDIT: I've just noticed this call uses HTTP PUT method and not HTTP POST method. According to RFC 2616 browsers are not allowed to cache responses to PUT method (but they're allowed to cache responses to POST method).

 

 

 

 

 

 

Edited by T8493
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.