T8493 Posted August 5, 2016 Share Posted August 5, 2016 (edited) Questions for GateHub because logging is explicitly mentioned on their Privacy policy page: Which requests are logged? Do you log API calls, too? Do you log complete URLs of HTTP requests? It looks like you also log some headers (Referer and browser), too. Do you log just headers which are explicitly mentioned on the Privacy policy or do you log all headers? Do you log content (JSON) of the API calls? Edited August 6, 2016 by T8493 Link to comment Share on other sites More sharing options...
T8493 Posted August 6, 2016 Author Share Posted August 6, 2016 (edited) When user changes his password, his old password is sent in plaintext as part of the URL in one of the requests. URL is: https://api.gatehub.net/auth/v1/users/{user_id}?password={password} The password is plaintext password. It is not encrypted or hashed. Logging always logs the complete URL (in my experience, see also CloudFlare logs below) and this means that plaintext password could be stored somewhere in their logs. I don't know why this password is not included as part of the JSON payload. Something looks slightly weird to me because they already use "Authentication: Bearer XXXXXX" HTTP header which (somewhat) duplicates the functionality of the old password. The other password is included in plaintext as part of the JSON payload. According to GateHub Privacy Policy GateHub automatically collects information such as: Quote Log Information: We collect log files that contain the type of browser you use, access times, pages viewed, your IP address and the page you visited before navigating to our websites. "Pages viewed" implies they store URLs. Otherwise they don't know which pages you viewed. They probably also log API/XMLHttpRequests requests because wallet is a single page application and majority (99%) of the (interesting) requests are API/XMLHttpRequests. Can @gatehub provide a verifiable proof that they don't store plaintext passwords in their log files? Another related question for @gatehub: Is this password stored in plaintext in CloudFlare logs (which can be downloaded by GateHub)? It looks like it probably is: https://support.cloudflare.com/hc/en-us/article_attachments/205413947/els_schema.json ("uri" property). Edited August 6, 2016 by T8493 Link to comment Share on other sites More sharing options...
GateHub Posted August 8, 2016 Share Posted August 8, 2016 (edited) Quote Can @gatehub provide a verifiable proof that they don't store plaintext passwords in their log files? What kind of proof do you have in mind? CloudFlare does not store any logs from GateHub. CloudFlare only stores some logs for their large customers. GateHub does not have an Enterprise account (Enterprise plans start at $5,000 per month). https://blog.cloudflare.com/what-cloudflare-logs/ Best regards, Luka (GH Security advisor) Edited August 8, 2016 by gatehub thinlyspread 1 Link to comment Share on other sites More sharing options...
Guest Posted August 8, 2016 Share Posted August 8, 2016 16 minutes ago, gatehub said: What kind of proof do you have in mind? CloudFlare does not store any logs from GateHub. CloudFlare only stores some logs for their large customers. GateHub does not have an Enterprise account (Enterprise plans start at $5,000 per month). https://blog.cloudflare.com/what-cloudflare-logs/ Best regards, Luka (GH Security advisor) Who cares about Enterprise plans. You might upgrade to enterprise plan next year, switch provider, CloudFlare may change its services tomorrow and offer you free logs. I bet they store logs ANYWAY now, just not let you access them. Logging costs nothing. passwords do NOT belong in URL, period. fix it, or refute the claim. Link to comment Share on other sites More sharing options...
winthan Posted August 8, 2016 Share Posted August 8, 2016 On 8/5/2016 at 8:56 PM, T8493 said: When user changes his password, his old password is sent in plaintext as part of the URL in one of the requests. URL is: https://api.gatehub.net/auth/v1/users/{user_id}?password={password} ("uri" property). That is dead serious! And they are storing all critical data in Session Storage. WTH!!! Link to comment Share on other sites More sharing options...
T8493 Posted August 8, 2016 Author Share Posted August 8, 2016 (edited) 14 hours ago, gatehub said: CloudFlare does not store any logs from GateHub. CloudFlare only stores some logs for their large customers. GateHub does not have an Enterprise account (Enterprise plans start at $5,000 per month). https://blog.cloudflare.com/what-cloudflare-logs/ How do you know they don't store any logs from GateHub? How can they provide analytics if they don't store logs? I think you're confusing two things. One thing is their REST API and the ability to download logs in JSON format (this is only available to Enterprise customers). However, they can still store logs and make them available via other means (maybe in somewhat aggregated form). There are some tools that can access per URL statistics: https://www.cloudflare.com/apps/clicky/ BTW, I'm not too familiar with CloudFlare. Quote from https://blog.cloudflare.com/what-cloudflare-logs/ Quote Access logs for most customers are stored briefly at the edge of our network and then deleted within 4 hours. Edited August 9, 2016 by T8493 Link to comment Share on other sites More sharing options...
Guest Posted August 9, 2016 Share Posted August 9, 2016 (edited) The password reset link was a mistake we have made and I have already talked to the developer in order to fix it. We have not logged those parameters anywhere however cloudflare might have done it and also your browser history has it. I encourage everyone that have done a password reset to clear their browser history. 18 hours ago, lucky said: Who cares about Enterprise plans. You might upgrade to enterprise plan next year, switch provider, CloudFlare may change its services tomorrow and offer you free logs. I bet they store logs ANYWAY now, just not let you access them. Logging costs nothing. passwords do NOT belong in URL, period. fix it, or refute the claim. This is true and we are working on it fix this mistake. It will be deployed in the following days. 16 hours ago, winthan said: That is dead serious! And they are storing all critical data in Session Storage. WTH!!! About the session storage please do not share miss information here since I have answered you on the other thread where you have started session storage issue and I have explained you why it is not as critical as you might think. Thread: Edited August 9, 2016 by Guest Link to comment Share on other sites More sharing options...
T8493 Posted August 9, 2016 Author Share Posted August 9, 2016 (edited) 2 hours ago, gregor said: The password reset link was a mistake we have made and I have already talked to the developer in order to fix it. We have not logged those parameters anywhere however cloudflare might have done it and also your browser history has it. I encourage everyone that have done a password reset to clear their browser history. Browser history? Browser history never contains HTTPXmlRequest calls AFAIK. However, browser cache may store this password. Especially because server HTTP response doesn't indicate that browser shouldn't cache this result (server response even uses Etag header which implies caching). If browser decides to cache this response, then the cache entry will also contain URL with plaintext password. EDIT: I've just noticed this call uses HTTP PUT method and not HTTP POST method. According to RFC 2616 browsers are not allowed to cache responses to PUT method (but they're allowed to cache responses to POST method). Edited August 9, 2016 by T8493 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now