Closed Bug 1742124 Opened 3 years ago Closed 2 years ago

Slack Leakage - Google Docs Plugin leads to credential and Mozilla Internal Information Disclosure

Categories

(Websites :: Other, task)

Product:
Websites
Component:
Other
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: griffin.francis.1993, Unassigned)

References

(
URL
)

Details

(Keywords: reporter-external, sec-moderate, wsec-disclosure, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Hi.

The implementation of the Google Docs Slack plugin leads to the disclosure of sensitive information through the document preview function. I do not need to be authenticated to a Mozilla email account to view the contents of the documents which are being shared.

I have noticed this behavior for awhile now, however at the time I was unable to find credentials which would further demonstrate the impact here. Recently I found a document which was being shared called "MLS API Keys in Use". This document details API keys for the https://location.services.mozilla.com/ website.

https://docs.google.com/spreadsheets/d/1BL6cpT4nW0HuQyUYbxtqFwJyTwn54maRNwN3S17z8j0/edit#gid=0

Initially I was having a hard time with reading the contents of the preview as it was quite small within the Slack program. However navigating to the slack.com website enabled me to view the contents of the document after scrolling and playing with the browser a bit more. From here I was able to view the contents of the API keys which are currently being used.

https://location.services.mozilla.com/v1/geolocate?key=3b4d27dd-703d-4094-8398-4de2c763505a (Firefox for Android)

The service APIs accept data submission for geolocation stumbling as well as reporting a location based on IP addresses, cell, or WiFi networks. I believe this feature is also being used within Firefox.

Whilst the impact of these keys might be questionable. It raises the question what else is being stored within these Google documents?

Regards,
Griffin.

Flags: sec-bounty?

I'm not 100% sure, but I'm wondering if this functions similar to the concept of a consumer key/secret (https://stackoverflow.com/questions/28057430/what-is-the-access-token-vs-access-token-secret-and-consumer-key-vs-consumer-s).

Hello Griffin,

Is this the mozilla slack instance? Do you still see examples of this issue? If so, can you point us to a message so we can see how the preview is leaking this data? I wonder if the plugin can be configured to prevent this behavior.

Thanks,
Frida

Flags: needinfo?(griffin.francis.1993)

Hi Frida.

Yes this is within the Mozilla Slack instance. You can re-produce it through searching MLS API Keys in USE and it should return a document which you are able to preview.

Regards,
Griffin.

Flags: needinfo?(griffin.francis.1993)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: wsec-disclosure
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED

We requested Slack to disable previews (i.e. unfurling) for google docs.

None of the involved sites (slack, google docs, jira) are officially on our web bounty list, and our bounty program is more focused on danger to our users and their data, but this is a good find of a flaw that is disruptive to our own internal working and we do want to recognize that with a bounty.

Flags: sec-bounty? → sec-bounty+
Keywords: sec-moderate

Thanks for the bounty!

You need to log in before you can comment on or make changes to this bug.