2

I've noticed that the Dropbox PHP SDK requires you to put your API credentials in a JSON file that might be publicly available if the SDK code is placed within the DOCUMENT_ROOT directory. What are the security implications if an attacker discovers these?

s3v3n
  • 121
  • 3
  • Why not check out the API and see for yourself what you would be able to do with the credentials? – Jonathan Gray Dec 12 '15 at 14:26
  • 1
    Just did. Apparently it would be possible to steal files from the authenticated user's dropbox but the limitation is that the oauth server checks the redirect URI so I'm unable to get an access token. Still bad though. – s3v3n Dec 12 '15 at 15:19
  • That could be bypassed via DNS spoofing. Which is possible in targeted attacks. – Jonathan Gray Dec 12 '15 at 15:59
  • Can you give me a scenario for that? Other than being on the same physical network with the victim. – s3v3n Dec 12 '15 at 16:10
  • It would have to involve some way via man in the middle. The app secret is also used to verify to the application itself that it's really talking with Dropbox's servers. If you were to MitM the application server you could pose as Dropbox, grabbing tokens and whatnot. – Jonathan Gray Dec 12 '15 at 16:47
  • Yes, indeed, although if there's a possibility to do MITM between the app and the servers or to perform the DNS poisoning there are bigger problems than just public API secrets. Thanks anyway – s3v3n Dec 12 '15 at 17:00
  • The appears in this case, that the API secret is simply just a security mitigation. Like two-factor authentication. – Jonathan Gray Dec 12 '15 at 17:06
  • Not really. It's used to authenticate the server: https://www.dropbox.com/static/images/developers/oauth2-diagram.png – s3v3n Dec 12 '15 at 17:26
  • That's oversimplified. Much of the authentication actually happens between the client and Dropbox directly. But after that the server can communicate to Dropbox without the client and, and in such cases the secret is used to protect the communications. The secret itself ins't actually required for proper authentication on the client side. It's really only used for server-to-server connections. – Jonathan Gray Dec 12 '15 at 17:56

1 Answers1

1

... the Dropbox PHP SDK requires you to put your API credentials in a JSON file that might be publicly available if the SDK code is placed within the DOCUMENT_ROOT directory.

This is definitely not true. I think some of the example apps use a nearby JSON file to store various credentials for convenience, but there's nothing in the SDK that requires you to do that. (You could store the JSON file elsewhere, and the constructor for AppInfo takes a key and secret, so you can manage them however you want.)

For most apps it's probably not a big deal to expose the app secret, but I would still discourage developers from doing so.

To learn more, look around for discussions about exposing OAuth consumer secrets. Notably, mobile apps typically do expose those secrets (at least in OAuth 1), so there's been a fair amount of discussion of the security implications.

smarx
  • 111
  • 2
  • OK, maybe it doesn't require you to store your credentials in a JSON file but they are encouraging developers to do so: https://www.dropbox.com/developers-v1/core/sdks/php – s3v3n Dec 13 '15 at 17:18
  • I looked online for some discussions and the very first one I found raised the same concerns: http://stackoverflow.com/a/1934234/539153 and pointed out that they decided to proxy all the information through their server. – s3v3n Dec 13 '15 at 17:18
  • On the web I wasn't able to create a proof of concept because the Dropbox oauth checks the redirect URL but if I think about it, having your secrets exposed mean that any other app on your mobile phone would be able to use those to connect to dropbox/facebook and other services that use oauth and just steal users' info without the knowledge of the user. – s3v3n Dec 13 '15 at 17:24
  • Knowing an app's secret doesn't let you access any user's information. – smarx Dec 13 '15 at 17:42
  • If the user previously authorized the app - it will silently skip the "Allow this app to access your info" and will give you an access token right away. – s3v3n Dec 13 '15 at 17:57
  • But you would need to somehow control the target of the redirect (which is specified in advance by the app owner). – smarx Dec 13 '15 at 18:15
  • I was not aware that there's a redirect to an URL (myapp://) in the mobile flow as well. Now it seems indeed that although you have the secrets it's hard to get an access token. Thank you – s3v3n Dec 13 '15 at 18:31