Big API security problem: FAQs and Private Mode
Hi guys,
Noticed you added some features to the API recently, including making faqs accessible to unauthenticated users.
From your changelog: “Allow anonymous users to read published FAQs from the API. rick November 18 2009”
There's a big problem with this though. We've just opened a new Tender account for a new product we're working on, that we're about to release internally, but nothing we discuss about it should get outside of our company as of now. So I enabled “Private Mode” (great feature by the way) on the account.
Now, here's the problem:
When I access the site through the API:
curl -H "Accept: application/json"
"http://api.tenderapp.com/kaleidoscope/faqs"
I get the following response:
{
"offset":0,
"total":1,
"per_page":30,
"faqs":[
{"section_href": "http://api.tenderapp.com/kaleidoscope/sections/2340",
"permalink": "test1",
"href": "http://api.tenderapp.com/kaleidoscope/faqs/6908",
"updated_at": "2009-12-16T10:50:26Z",
"title": "test",
"body": "testing",
"html_href": "http://kaleidoscope.tenderapp.com/faqs/test/test1",
"published_at": "2009-12-16T10:50:17Z",
"formatted_body": "<div><p>testing</p></div>",
"keywords": "test",
"created_at": "2009-12-16T10:50:26Z"}
]
}
I'd expect to get the following response:
Invalid email/password for "kaleidoscope.tenderapp.com"
Similarly, I can also grab the href for any FAQ section and get the full contents of the FAQ article.
It seems to me that, whoever worked on enabling unauthenticated API access to the faqs (which also is a cool feature), forgot to add a check whether the site the user's trying to access set to “Private Mode” (somewhat less awesome). When I follow the “html_href” for any of the articles I'm neatly redirected to the login page, but following the “href” within the API gives me complete read-only access without authenticating.
This wouldn't be that big of a deal if only the actual faq links would be accessible, but given that "api.tenderapp.com/site_name/faqs" is accessible without authentication for projects in “Private Mode”, all someone needs to get all of our posted FAQs is knowledge of this security problem, and the name of our tender site.
For now, we'll forego using the FAQ/Knowledge Base features of Tender for this project, as the discussions URLs do properly check for authentication when accessed through the API.
Please let me know when we may expect this feature to be fixed.
Thanks,
- Dirk
PS: If you want to make this discussion public, please feel free to do so, I thought it'd be a good idea to leave that choice up to you. We're not using the FAQ features for now, so I don't have any problem with having any of the information in my message – including our tender site name – available publicly.
Discussions are closed to public comments.
If you need help with Tender please
start a new discussion.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
1 Posted by rick on 16 Dec, 2009 06:02 PM
Thanks for the report! It's fixed now.
rick closed this discussion on 16 Dec, 2009 06:02 PM.
dirk re-opened this discussion on 16 Dec, 2009 08:07 PM
2 Posted by dirk on 16 Dec, 2009 08:07 PM
Hi Rick,
Thanks for taking care of this so quickly.
- Dirk
---
Sent from my iPhone
Will closed this discussion on 16 Dec, 2009 08:12 PM.