node-solid-server icon indicating copy to clipboard operation
node-solid-server copied to clipboard

Published 20 hours ago verified publisher icon nodeSolidServer

External WebId security issue

Open bourgeoa opened this issue 4 years ago • 2 comments

Tim Berners-Lee @timbl mai 14 16:11 Intersting: Trying to register a new account with an external webid I get an nmessage saying linked acounts are not supported?

Alain Bourgeois @bourgeoa mai 14 16:18 @timbl it has been removed by @michielbdejong and I don't now why solid/node-solid-server#1566

Tim Berners-Lee @timbl mai 14 16:40 I assume it was a security thing? I wonder how many accountes there are with linked owners

Tim Berners-Lee @timbl mai 14 16:46 Anyone else know?

Michiel de Jong @michielbdejong 09:27 Yes, it was a security thing. We can only re-activate it if we fix the way aliases work, first. With the current code, it was possible to steal any existing username on the same server and make it a local alias of the newly created account. So you would need to add a check to make sure the external webid is not local!

@michielbdejong Is aliases owl:sameAs ? Is the security issue related to CORS ?

bourgeoa avatar May 15 '21 15:05 bourgeoa

It's user.link, unrelated to owl and to cors. https://github.com/solid/node-solid-server/blob/main/lib/models/authenticator.js#L147

michielbdejong avatar May 17 '21 08:05 michielbdejong

Reminder solid:oidcIssuer not implemented for external webId https://github.com/solid/node-solid-server/issues/1510#issuecomment-1058244694

bourgeoa avatar Mar 08 '22 17:03 bourgeoa