64
Trello Desktop Application Stores Authentication Token in Plain Text
source link: https://www.tuicool.com/articles/e6vAVzm
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
An issue in electron framework leaving the authentication token of Trello in plain sight. In electron framework, cookies aren’t encrypted. But, it will be encrypted by default in all chromium based browsers and other browsers. If the cookies aren’t encrypted, the data stored in them should not contain sensitive data. It will be a problem for applications which uses cookie-based authentication.
Trello which uses cookie-based authentication keeps its authentication token in Cookies. They used electron framework to create a desktop application, which stores the token insecurely
Steps to reproduce:
- Login to your Trello desktop application
- Navigate to C:\Users\%UserName%\AppData\Local\Packages\45273LiamForsyth.PawsforTrello_7pb5ddty8z1pa\LocalCache\Roaming\Trello
- Open cookies file in DB Browser for SQLite
- Now you can see the cookie name “ token ” with value, not encrypted
Risks
- An RCE(remote code execution) in any other application will leave Trello token in the wide open
- An attacker with enough privileges can access the token within the same network.
Atlassian’s Response
I talked with the Electron maintainers about this to double check but Electron as a whole does not consider localstorage or indexeddb a security issue since it requires read access to disk, and if an attacker has that they already have access to far worse items such as ssh keys and /etc/passwd.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK