Skip to content
This repository has been archived by the owner on Nov 4, 2024. It is now read-only.

Security Vulnerability "/_data_/…/storage/cfg/…/…/accounts" #2134

Open
the-djmaze opened this issue Nov 10, 2021 · 1 comment
Open

Security Vulnerability "/_data_/…/storage/cfg/…/…/accounts" #2134

the-djmaze opened this issue Nov 10, 2021 · 1 comment

Comments

@the-djmaze
Copy link
Contributor

the-djmaze commented Nov 10, 2021
edited
Loading

RainLoop version, browser, OS:
v1.16

Expected behavior:
File can't be decrypted on (backup) server.

actual behavior:
File can be decrypted on (backup) server.

Steps to reproduce the problem:
When calling \RainLoop\Actions->SetAccounts()
It will store an array of values from \RainLoop\Model\Account->GetAuthToken()
Which in turn calls \RainLoop\Utils::EncodeKeyValues()
And that calls \RainLoop\Utils::EncryptString(@\serialize($aValues), \md5(APP_SALT))

When someone/something has access to the SALT.php file,
it can decode the encrypted accounts and gain all passwords.

These days with server breaches, ransomware, other attacks and the increase of backup behavior, the chance of being listed on "have i been pwned" has increased and the above mentioned issue becomes a bigger vulnerability.

Solutions:

  1. Encrypting the file based on user cookie is very unreliable and has a high fail rate.
  2. Encrypting with a server stored key (like the SALT.php) opens this issue
  3. Encrypting using the main account password (the login) fails when password is changed or when using OAUTHBEARER/XOAuth2
  4. Only encrypting the account passwords with (3) keeps the accounts, but only login will fail.

With (4) you could store an HMAC of the encrypted password to check if the account login works.

Same issue applies to the 'contacts_sync' file
the-djmaze pushed a commit to the-djmaze/snappymail that referenced this issue Nov 11, 2021
Revamp the whole accounts system for better management and control.
a18d393 
This also solves RainLoop/RainLoop#2134
@tomasz-c tomasz-c mentioned this issue Jan 7, 2022
Merged
11 tasks
@yeupou yeupou mentioned this issue Jan 30, 2022
Open
@the-djmaze the-djmaze mentioned this issue Apr 5, 2022
Closed
This was referenced Aug 20, 2022
Open
Open
Closed
Open
Open
@Neustradamus
Copy link

Please use SnappyMail from @the-djmaze, we can thanks for this work!

Please note that SnappyMail supports SCRAM-SHA-* for connection, very good security:

Linked to:

@Neustradamus Neustradamus mentioned this issue Sep 1, 2022
Open
@the-djmaze the-djmaze mentioned this issue Nov 26, 2022
Closed
@the-djmaze the-djmaze mentioned this issue Feb 1, 2023
Closed
@the-djmaze the-djmaze mentioned this issue Sep 25, 2024
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Neustradamus @the-djmaze