Closed
Bug 1383853
Opened 7 years ago
Closed 7 years ago
Extension XPI URLs reveal AWS credentials in public API
Categories
(Firefox :: Normandy Server, enhancement, P1)
Firefox
Normandy Server
Tracking
()
RESOLVED
FIXED
People
(Reporter: mythmon, Unassigned)
Details
When uploading an XPI to Normandy's new Extension API, the resulting resource includes AWS credentials in the S3 URL for the XPI. This problem exists on Normandy's master branch, and at time of discovery has been deployed to dev and stage. Dev's credentials have been revealed (protected by VPN), but Stage's have not because no extensions have been uploaded.
|
||
Comment 1•7 years ago
|
||
correction, dev's credentials are not protected by VPN
|
|
||
Comment 2•7 years ago
|
||
I just double-checked and they credentials in the page are not the host credentials like I initially thought they were. They are the credentials for a generated s3 access url, and should only grant temporary access to that specific object.
|
||
Comment 3•7 years ago
|
||
PR: https://github.com/mozilla/normandy/pull/912
|
Reporter | |
Comment 4•7 years ago
|
||
PR 912 has been merged. All environments that this has affected have been updated. (Not that it was actually an issue to begin with).
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
|
||
Updated•7 years ago
|
Group: core-security
|
||
Updated•6 years ago
|
Product: Shield → Firefox
You need to log in
before you can comment on or make changes to this bug.
Description
•