Comment 1 for bug 998185
Revision history for this message
| Robert Clark (robert-clark) wrote Re: Once a token is created/distributed its expiry date can be circumvented | #1 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
I agree that this is a problem. Tokens timeout to limit the scope of abuse through compromise/loss. Allowing tokens to be extended or chained in this way does water down the protection somewhat but I don't think it's a big problem.
I could be wrong but I'd expect that the initial attack vector for this is to obtain a token and extend it before it expires. At that point an attacker could do any number of things to attack or modify this users settings via the API, perhaps having the same effect.
I'd like to understand where the requirement for chaining tokens like this came from before we take steps to limit/remove it as I expect doing so could break some applications that may rely on it currently.