Closed Bug 1715329 Opened 2 years ago Closed 2 years ago

Access token stored as device ID

Categories

(Chat Core :: Matrix, defect)

defect

Tracking

(thunderbird_esr78 unaffected)

RESOLVED FIXED
91 Branch
Tracking Status
thunderbird_esr78 --- unaffected

People

(Reporter: freaktechnik, Assigned: freaktechnik)

References

Details

Attachments

(1 file)

We stored the access token as the device ID on accident. Luckily, the device ID is never sent anywhere without crypto enabled. As such, the access token shouldn't have leaked.

We can invalidate the access token for everyone that chose to store their token, since the values will be equal. Users that don't store their access token override the device ID every time they connect either way, so it will at least be overridden after the patch lands.

Either way, everyone will have to log in again, which means SSO will prompt again once the patch for this lands.

Talked to some folks about this and it seems that device IDs are considered public info and can be queried from the /keys/query endpoint.

So what is happening is that we:

It is unclear to me when MatrixClient will use this though since? Maybe if you log the device out from another device you'd end up with that as your device ID or something?

We let the server generate a device ID on login, which is the one that the server then has on file (you can verify this with an account that has an affected session in element web).

Looking through all uses of deviceId within the js SDK I couldn't see one that wasn't related to the crypto features or WebRTC, both of which we don't touch so far.

(In reply to Patrick Cloke [:clokep] from comment #2)

It is unclear to me when MatrixClient will use this though since? Maybe if you log the device out from another device you'd end up with that as your device ID or something?

No, the SDK doesn't set the device_id for the login request see https://github.com/matrix-org/matrix-js-sdk/blob/4b8f47e2b430f84bbfb4c65fd3007703cac93cb4/src/client.ts#L5921 (plus any of the higher level login methods) and
https://github.com/matrix-org/matrix-js-sdk/blob/4b8f47e2b430f84bbfb4c65fd3007703cac93cb4/src/http-api.js#L463
(this actually leads to some issues with crypto that I have to address in the other patch - we have to create a new client once we get the device ID)

Pushed by geoff@darktrojan.net:
https://hg.mozilla.org/comm-central/rev/339d0208fb01
Store correct Matrix device ID and revoke incorrectly stored access tokens. r=clokep

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch
You need to log in before you can comment on or make changes to this bug.