dedis
Protocol: "lao/state" message is at risk of misuse
This issue relates to the LAO properties update logic.
LAO properties update flow
When an organizer (front-end) wants to suggest changes to the LAO, it publishes the suggested changes in a lao/update_properties message data object, collects signatures from witnesses on that object, and when a quorum is reached it broadcasts a lao/state message data object.
Any client receiving a valid lao/state message will consider the properties to be correctly updated.
The problem
The lao/state message data object to be found in dataStateLao.json contains a number of fields that are redundant with the lao/update_properties message data object which it references in its modification_id.
There's a risk that such fields would be read from the lao/state object without being checked against the LAO state and the message referenced in modification_id, creating an opportunity for misuse and thus security flaws that could be exploited by an hostile organizer.
Suggested solution
I would suggest dropping the following fields:
- name
- creation
- last_modified
- organizer
- witnesses
And base those values on the previous state of the LAO (for organizer, creation) or on the lao/update_properties message (for name, last_modified, witnesses)
Let's discuss !
What do you think ?
