MediaGoblin 0.8.1: Security release

Basic Summary

We have had a security problem in our OAuth implementation reported to us privately and have taken steps to address it. The security problem affects all versions of GNU MediaGoblin since 0.5.0. I have created a patch for this and released a minor version 0.8.1 (see the release notes page). It’s strongly advised that everyone upgrade as soon as they can.

In order to exploit the security issue, an attacker must have had access to a logged in session to your GNU MediaGoblin account. If you have kept your username and password secret, logging in only over HTTPS and you’ve not left yourself logged in on publicly accessible computers, you should be safe. However it’s still advised all users take the following precautions, listed below.

Users should check their authorized clients. Any client which looks unfamiliar to you, you should deauthorize. To check this:

  1. Log in to the GNU MediaGoblin instance
  2. Click the drop down arrow in the upper right
  3. Click "Change account settings"
  4. At the bottom click the "Deauthorize applications" link

If you are unsure of any of these, click "Deauthorize".

I would like to thank Dylan Jeffers (author of Goblinoid) for finding and reporting this to us in a resposnible manner so that we were able patch this.

Technical Information

The security issue was caused by the verification of the OAuth verifier code. There the proper checks were not occuring to validate the verifier code matched the one issued to the request.

This only affected those who clicked the verifier link whilst being logged in and entered a different code. The assignment of the user to the access token only occurs when you go to the authorizaton page whilst being logged in. If the link isn’t clicked with the user logged in no user will be assigned to the access token and a client attempts to use it will be denied as the endpoints won’t be able to look up the requesting user.

A patch has been made should you wish to view the fix.