Search terms not being properly encrypted between SmartScopes server and Reddit

Bug #1313108 reported by Benjamin Kerensa on 2014-04-26
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Unity Reddit Scope
High
David Callé

Bug Description

The reddit scope is leaking user searches on the dash.

Related branches

Benjamin Kerensa (bkerensa) wrote :

After further investigating it seems like the leak to reddit mods occurs because the scope uses https://reddit.com versus https://ssl.reddit.com which is called for by the API for SSL queries.

David Callé (davidc3) on 2014-04-26
no longer affects: onehundredscopes
David Callé (davidc3) on 2014-04-26
Changed in unity-scope-reddit:
importance: Undecided → High
status: New → In Progress
assignee: nobody → David Callé (davidc3)
Benjamin Kerensa (bkerensa) wrote :

David,

Just a note the reason it was leaking data on https://reddit.com is because Reddit uses Akamai CDN for their site to scale to traffic but they do not use the SSL service because SSL via CDN providers is expensive. Instead they enable SSL via https://ssl.reddit.com using their API.

But FWIW I also do not think you can simply just change the url I think you need to make some small changes to properly make the calls via oauth2 otherwise it may kick back the call still.

https://github.com/reddit/reddit/wiki/OAuth2

Here on SSL not working on https://reddit.com and instead redirecting queries back to http http://www.reddit.com/r/redditdev/comments/155hs3/recent_problem_with_sslenabled_reddit/c7jn53u

I tested out https://reddit.com using the same query the scope works and confirmed it does the kickback to http.

Benjamin Kerensa (bkerensa) wrote :

So looking at the scope more closely and their documentation I do not think changing out will work as you have in your proposed change. I think you will need to rewrite the scope to use Reddit's API and register a "Installed App" and get a token and secret otherwise it seems without using oauth and having a registered app their API will kick back queries too although with a app and token/secret you can pass searches using their API and they will be via HTTPS.

Benjamin Kerensa (bkerensa) wrote :

Marking Public Security since privacy is not needed.

information type: Private Security → Public Security
Marc Deslauriers (mdeslaur) wrote :

The certificate on https://reddit.com is invalid, so either the code wasn't working at all, which means it wasn't leaking, or it's not checking certs properly, which means changing it to https://ssl.reddit.com will still result in a MITM being able to capture traffic.

David Callé (davidc3) wrote :

Thanks for all that info, I'm looking into it. For the record all this happens between the SmartScopes Server and Reddit, the data provider can't correlate queries with a specific user.

summary: - [Reddit] Leaks user dash searches
+ Search terms not being properly encrypted between SmartScopes server and
+ Reddit
Benjamin Kerensa (bkerensa) wrote :

Marc,

https://reddit.com redirects to http because its Akaimai. They setup SSL.reddit.com specifically for SSL and apps so no risk there.

David,

Yeah I had not realized scopes now were on a canonical server this is probably a good thing. I haven't really followed the feature.

Marc Deslauriers (mdeslaur) wrote :

Benjamin,

I don't think you quite understand what I'm saying. If the code worked with https://reddit.com and an invalid certificate, it means it's not properly doing certificate validation. Just changing the URL to https://ssl.reddit.com isn't enough to prevent a MITM, the certificate validation needs to be fixed also.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers