acdcli icon indicating copy to clipboard operation
acdcli copied to clipboard

Published 20 hours ago verified publisher icon sgeb

Insecure amazon client/secret

Open kalbasit opened this issue 9 years ago • 2 comments

Hi,

I noticed that you plan to embed Amazon's client id and secret in the binary. While this is convinient, this is also insecure.

wmn@cratos ~/code/src/github.com/sgeb/acdcli [master] ± % ACD_API_CLIENTID="amzn1.application-oa2-client.this_is_a_hash" ACD_API_SECRET="this_is_a_secret" make dev
==> Getting dependencies...
>> Getting package github.com/sgeb/go-acd
>> Getting package golang.org/x/oauth2
>> Getting package github.com/mitchellh/cli
>> Getting package github.com/dustin/go-humanize
>> Getting package github.com/mitchellh/gox
package github.com/mitchellh/cli
    imports golang.org/x/crypto/ssh/terminal: golang.org/x/crypto is a custom import path for https://go.googlesource.com/crypto, but /Users/wmn/code/src/golang.org/x/crypto is checked out from https://code.google.com/p/go.crypto
>> Setting github.com/dustin/go-humanize to version
>> Setting golang.org/x/oauth2 to version
>> Setting github.com/mitchellh/cli to version
>> Setting github.com/sgeb/go-acd to version
>> Setting github.com/mitchellh/gox to version
>> Building package github.com/sgeb/go-acd
>> Building package golang.org/x/oauth2
>> Building package github.com/mitchellh/cli
>> Building package github.com/dustin/go-humanize
>> Building package github.com/mitchellh/gox
>> All Done
==> Removing old directory...
==> Building...
Number of parallel builds: 8

-->    darwin/amd64: github.com/sgeb/acdcli/acdcli

==> Results:
total 15024
-rwxr-xr-x  1 wmn  staff   7.3M May 22 10:25 acdcli
wmn@cratos ~/code/src/github.com/sgeb/acdcli [master] ± % strings ~/code/bin/acdcli| grep 'a_hash\|a_secret'
this_is_a_secret
amzn1.application-oa2-client.this_is_a_hash

Although the secret does not have a known guessable prefix, it is always 64 chars which is easy guessable.

Take a look at https://github.com/caseymrm/drivesink, they have the client/secret hosted on a website and the users only get their access token and refresh token.

kalbasit avatar May 22 '15 17:05 kalbasit

Thanks for the suggestion, I'll look into it

sgeb avatar May 24 '15 13:05 sgeb

A similar implementation solution : https://github.com/yadayada/acd_cli/blob/master/docs/authorization.rst

sapk avatar Jan 12 '16 15:01 sapk