Security issue - Acquiring data permission without having it

ludwig-feed9c · November 21, 2016, 1:40pm

Dear Backendless support,

I love Backendless but i am encountering a serious security problem, which is the following.

I login with a user A
a create a data object X with the logged user
I logout from user A
I login with another user B
Just by knowing the objectId of the data object X, I am able to get full control over the data object created by user A from user B

I already tell you that the permission table of the data object is set to deny “AuthenticatedUser” and “NotAuthenticatedUser” to find, update, delete, describe and change permission. Only create is allowed.

The code to reproduce the issue is very simple (let’s say that the user starts with no lists):

user = Backendless.UserService.login(“userA”, “passA”);
user.lists.push(new window.Classes.ShoppingList({“name”: “listA”}));
user = Backendless.UserService.update(user);
var ListId = user.lists[0].objectId; //let’s say that the saved list is the only one in the array

Backendless.UserService.logout();

user = Backendless.UserService.login(“userB”, “passB”);
user.lists.push(new window.Classes.ShoppingList({“objectId”: ListId}));
user = Backendless.UserService.update(user)

User B has now full control over element created from user A.

So, this suggests that just by knowing the objectId of an element it is possible to get control over it, even if you are not the owner.

Is this normal? To me this is a serious security problem, because I used to transmit objectIds publicly.

If it is normal, can you suggest me a way of linking an object to multiple user, but letting only the owner the right to modify it?

In any case, if you want to check, my APP_ID is B4A6E251-561B-FEC4-FFFE-5BD9A26DB600

Thank you,

Ludwig Feed

oleg-vyalyh · November 21, 2016, 2:52pm

Hi, Ludwig.
Have you seen the properties “Table Schema and Permissions.” (red button in the top right on the Data tab)? There you find “Owner Policy”. Try it. This is what are you looking for ?

ludwig-feed9c · November 21, 2016, 3:03pm

Dear Oleg, thank you for the reply.

Yes, I have well in mind that table. However, even if it is only the owner who has the permission to modify, this does not prevent other users to get FULL CONTROL over a data object of which they are NOT the owner, and of which they should not have permission to modify.

I know that takes a some minutes, but if you are able to execute the code that I posted you will see the issue.

I don’t know how to solve, probably I am not doing something correctly, but for the moment…this is a serious security problem for me.

Looking forward to your reply,

Ludwig

mark-piller · November 21, 2016, 3:33pm

Hi Ludwig,

When you say “full control”, do you mean that user B would be able to perform the complete set of CRUD operations on the object?

Regards,
Mark

oleg-vyalyh · November 21, 2016, 3:48pm

If i block all permissions except create for Authenticated and NotAuthenticated roles - all works.
Use, for example, Rest console (in Data tab).
I am able to create object with user1 and user2. But when i make find - i get only objects with ownerId of current loggedin user. Then, if i set “deny” in Owner policy (for find), i won’t be able to find any object at all.

ludwig-feed9c · November 21, 2016, 4:13pm

Dear Mark, thank you for intervening.
The problem does not arise with rest commands, but only using pure javascript code as posted.

In particular, the problem arises when I update an User object, and inside its properties I put a reference to another data object, which is owned by another user.
In my opinion, when trying to update an user object featuring external-non-accessible object, the request should fail. Instead it succeeds and the result is that now both users are owners of that object… And both of them have now owner rights… Even if the second user did not create the object.

For me this is a way of passing around permission rights… And I don’t understand why it happens.

I think that the code that I posted at the beginning can explain even better the dynamic, which is very simple.

mark-piller · November 21, 2016, 4:29pm

Hi Ludwig,

Our JS library uses the REST API internally, therefore any calls with either direct REST or indirect via the JS library would be the same.

The code you demonstrated shows that a non-owner can establish a relation with the object in question. However, the code does not demonstrate that the user got “full control”. If the user B attempts to do any of the following and the system allows it, then, yes, you can say the user got full control:

modify the internal object state (meaning any of its properties) delete the object altogether retrieve the object See if user B can do any of these. If the app is configured to deny all operations except for "Create", you should be getting an error.

Regards,
Mark

ludwig-feed9c · November 21, 2016, 4:49pm

Yes, that was exactly what brought me to write in the forum: after becoming owner, I confirm that the user B is able to modify the properties of the object.

To reproduce the issue, you have to save the object indirectly, by changing the user and then sending an UserService.Update call.

So, one question, when I change the db through javascript code after login, is it recognised as AuthenticatedUser or JSUser?

Thank you again,
Ludwig

mark-piller · November 21, 2016, 5:03pm

The “UserService.Update” call modified the User object, NOT the object which you have the objectId for.

The “JSUser” role is assigned whenever you use “JS Secret Key”.

The “AuthenticatedUser” role is assigned when you make an API call while a user is logged in.

Both roles can be assigned at the same time.

Regards,
Mark

ludwig-feed9c · November 21, 2016, 5:12pm

I just tried again… The UserService.Update seems to update everything, so if I changed a property of an object, the object will be updated too.

Any idea?

Regards,
Ludwig

mark-piller · November 21, 2016, 5:16pm

Thanks for the confirmation, we will look into it.

For tracking purposes, the internal id of this issue is: 13508

Regards,
Mark

ludwig-feed9c · November 21, 2016, 5:53pm

Okay, I will wait if there are any updates. In the meanwhile I will do some other tests.

Thanks,
Ludovico

ludwig-feed9c · November 23, 2016, 5:14pm

Any news?

ilya-veklenko · November 24, 2016, 11:32am

Hi Ludwig,
It has not been investigated yet. This issue is on our roadmap but this ticket does not have the highest priority.
We will notify you when we will get some results.
Regards, Ilya

ludwig-feed9c · November 24, 2016, 5:46pm

Okay, I keep waiting for good news

Thanks

ludwig-feed9c · December 9, 2016, 5:45pm

Still no news right?

ludwig-feed9c · January 15, 2017, 10:18am

Dear Backendless, it is more than one month that I wait, do you have any idea on when this problem is going to be solved? Because it represents a serious issue for my application and if not resolved, I will have to consider other baas alternatives.
Thank you in advance,
Ludwig

sergey-chupov · January 16, 2017, 7:24am

Hi Ludwig,

We’re currently working on a new Backendless version which will not have this issue by design. The first preview should be available within a month.

ludwig-feed9c · January 16, 2017, 11:55am

Ok, that’s great. Let me know when it is ready.