Closed
Bug 842288
Opened 11 years ago
Closed 10 years ago
Potential sensitive information (Private Key) disclosed
Categories
(Cloud Services :: Server: Identity, defect)
Cloud Services
Server: Identity
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: ole, Assigned: jedp)
Details
This is most probably a silly report but I felt like submitting it anyway just to be safe: https://login.persona.org/pk is giving the following content: {"algorithm":"RS","n":"17509749861694494494872460053767835050404245850222879923332851070407477620437941563820370764990477086508806099113661589535215545809212436371869690217935480275301494883983840351632640822325289256934614304878571065647568495354752736459078065284153699261713437731281726278933523782613960153494025694829910802495907763077221584500090734186210456302804688432308477849241892388436867354393423977864761996488423216605179096539599112292886002298421934335629189702494844669371216985661583323059605724956419024024496484812121544425787678170853739436523841716755854649351240407306619936424744028896232428860573678920055912798079","e":"65537"} You guys can probably tell whether that is something that should be accessible or not (pk = private key?¿?¿!!) Thanks
Comment 1•11 years ago
|
||
pk == "public key", in this case. This is a dupe of an INVALID bug, but I can't find it.
Group: websites-security → mozilla-services-security
Component: Login → Server: Identity
OS: Linux → All
Product: Mozilla Developer Network → Mozilla Services
Hardware: x86_64 → All
Whiteboard: DUPEME
Updated•10 years ago
|
Assignee: nobody → jparsons
Assignee | ||
Comment 2•10 years ago
|
||
Yes, it's the public key. It's the same as you'll get if you request it from the well-known file: https://login.persona.org/.well-known/browserid I imagine this may once have been useful for debugging purposes. But the code marks the url as deprecated: https://github.com/mozilla/persona/blob/dev/lib/static/views.js#L460 I'll look for a bug this might be a dupe of and mark it as such. Thanks in any case for being vigilant and for filing the report, Martin!
Assignee | ||
Comment 3•10 years ago
|
||
Hmm... Having searched through all open and closed Identity bugs, I don't see what this could be a dupe of. Curtis, shall we just close as invalid?
Flags: needinfo?(curtisk)
Your the expert, hence why we moved this into your bucket. Is this even a security issue? Can we remove the flags on this bug if it is invald?
Flags: needinfo?(curtisk) → needinfo?(jparsons)
Assignee | ||
Comment 5•10 years ago
|
||
It's not a security issue, no. I'll close as invalid. Please go ahead and remove the flag. Thanks! j
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(jparsons) → needinfo?(curtisk)
Resolution: --- → INVALID
Updated•10 years ago
|
Group: mozilla-services-security
Whiteboard: DUPEME
Updated•10 years ago
|
Flags: needinfo?(curtisk)
You need to log in
before you can comment on or make changes to this bug.
Description
•