Potential sensitive information (Private Key) disclosed

RESOLVED INVALID

Status

Cloud Services
Server: Identity
RESOLVED INVALID
5 years ago
4 years ago

People

(Reporter: Martin Obiols, Assigned: jedp)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
This is most probably a silly report but I felt like submitting it anyway just to be safe:

https://login.persona.org/pk

is giving the following content:

{"algorithm":"RS","n":"17509749861694494494872460053767835050404245850222879923332851070407477620437941563820370764990477086508806099113661589535215545809212436371869690217935480275301494883983840351632640822325289256934614304878571065647568495354752736459078065284153699261713437731281726278933523782613960153494025694829910802495907763077221584500090734186210456302804688432308477849241892388436867354393423977864761996488423216605179096539599112292886002298421934335629189702494844669371216985661583323059605724956419024024496484812121544425787678170853739436523841716755854649351240407306619936424744028896232428860573678920055912798079","e":"65537"}

You guys can probably tell whether that is something that should be accessible or not (pk = private key?¿?¿!!)

Thanks
pk == "public key", in this case. This is a dupe of an INVALID bug, but I can't find it.
Group: websites-security → mozilla-services-security
Component: Login → Server: Identity
OS: Linux → All
Product: Mozilla Developer Network → Mozilla Services
Hardware: x86_64 → All
Whiteboard: DUPEME
Assignee: nobody → jparsons
Yes, it's the public key.  It's the same as you'll get if you request it from the well-known file: https://login.persona.org/.well-known/browserid

I imagine this may once have been useful for debugging purposes.  But the code marks the url as deprecated:

https://github.com/mozilla/persona/blob/dev/lib/static/views.js#L460

I'll look for a bug this might be a dupe of and mark it as such.

Thanks in any case for being vigilant and for filing the report, Martin!
Hmm... Having searched through all open and closed Identity bugs, I don't see what this could be a dupe of.  Curtis, shall we just close as invalid?
Flags: needinfo?(curtisk)
Your the expert, hence why we moved this into your bucket. Is this even a security issue? Can we remove the flags on this bug if it is invald?
Flags: needinfo?(curtisk) → needinfo?(jparsons)
It's not a security issue, no.  I'll close as invalid.

Please go ahead and remove the flag.

Thanks!
j
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Flags: needinfo?(jparsons) → needinfo?(curtisk)
Resolution: --- → INVALID
Group: mozilla-services-security
Whiteboard: DUPEME
Flags: needinfo?(curtisk)
You need to log in before you can comment on or make changes to this bug.