Dear Backendless support,
I love Backendless but i am encountering a serious security problem, which is the following.
- I login with a user A
- a create a data object X with the logged user
- I logout from user A
- I login with another user B
- Just by knowing the objectId of the data object X, I am able to get full control over the data object created by user A from user B
I already tell you that the permission table of the data object is set to deny “AuthenticatedUser” and “NotAuthenticatedUser” to find, update, delete, describe and change permission. Only create is allowed.
The code to reproduce the issue is very simple (let’s say that the user starts with no lists):
user = Backendless.UserService.login(“userA”, “passA”);
user.lists.push(new window.Classes.ShoppingList({“name”: “listA”}));
user = Backendless.UserService.update(user);
var ListId = user.lists[0].objectId; //let’s say that the saved list is the only one in the array
Backendless.UserService.logout();
user = Backendless.UserService.login(“userB”, “passB”);
user.lists.push(new window.Classes.ShoppingList({“objectId”: ListId}));
user = Backendless.UserService.update(user)
User B has now full control over element created from user A.
So, this suggests that just by knowing the objectId of an element it is possible to get control over it, even if you are not the owner.
Is this normal? To me this is a serious security problem, because I used to transmit objectIds publicly.
If it is normal, can you suggest me a way of linking an object to multiple user, but letting only the owner the right to modify it?
In any case, if you want to check, my APP_ID is B4A6E251-561B-FEC4-FFFE-5BD9A26DB600
Thank you,
Ludwig Feed