Upgrade Storage[solved] Web page snapshots in groups present a security risk
If I create a group with public membership and a shared library, (edit: public+shared files is not possible, see below) any member who snapshots a web page is compromising their security. Many websites embed their session cookies in their forms as a means of preventing CSRF attacks, and these session cookies are all an attacker would need to authenticate themselves to the snapshot'd web site as the original user.
(I would rather not have posted a security issue to a public area like this, but I had no choice: There is no listed security email address and no bug tracker with security flagging.)
(I would rather not have posted a security issue to a public area like this, but I had no choice: There is no listed security email address and no bug tracker with security flagging.)
Second, the exploit window would be fairly narrow, as it would require a page with embedded tokens to be synced up to the server and down to the attacker's computer within the session timeout (though some sites, of course, have longer—or no—timeouts).
It would also seem that sites employing this technique should require a combination of a session cookie and a form security token so that neither the cookie nor the HTML source alone was sufficient to authenticate a user.
But we'd like to investigate this further. If you have examples of sites that embed tokens into forms in this way, please send them to support@zot....org.
I don't have any examples on hand—it's just something I've seen done on security-conscious sites. Some have separate session and posting cookies, as you note, but I've also seen the session cookie used for both purposes. If I happen to notice the latter case on (say) a journal website, I'll send a note to that address.
I appreciate the amount of thought you've put into these features.