feinstaub-api icon indicating copy to clipboard operation
feinstaub-api copied to clipboard

Published 20 hours ago verified publisher icon opendata-stuttgart

Security of the post API

Open GeeF opened this issue 7 years ago • 4 comments

Maybe I'm missing something, but from what I see, the permission to post data for a specific sensor node is solely based on its id? That could potentially be bad, as you can get ids that are activated pretty easily.

GeeF avatar Mar 23 '17 18:03 GeeF

Can you tell me how to get another activated id beside your own?

ricki-z avatar Mar 23 '17 23:03 ricki-z

Again, maybe I'm getting it wrong. It's just an idea.

I was looking at: https://www.madavi.de/sensor/graph.php?showfloat

Sensors are named e.g. "esp8266-10666457-sds011" where "10666457" is the ID, right?

If it's not, I rest my case :)

GeeF avatar Mar 24 '17 08:03 GeeF

The "feinstaub-api" and the server generating these graphics are independent. Not every sensor in the "feinstaub-api" is sending to madavi api. And some of the sensors shown there aren't sending to "feinstaub-api". Even some of the sensors not marked red if they are "known". Example: esp8266-906538 is shown on madavi.de but should be denied by api.luftdaten.info

ricki-z avatar Mar 24 '17 12:03 ricki-z

But there are at least some? Anyway, its a 6 digit ID, you could easily brute force it and generate garbage data. Maybe allow the exchange of a shared secret for 24 hours after activating an ID? That wouldn’t put any more work on the users side.

GeeF avatar Mar 27 '17 20:03 GeeF