HackerOne: Invalid Phabricator API token revealed through error message when escalating a report

2018-04-09T17:44:36
ID H1:335123
Type hackerone
Reporter bigbug
Modified 2018-06-27T05:03:49

Description

Summary

While trying to create a phabricator task by escalating to phabricator, error message contains the API token as a part of the pop up. This is seen when a user tries to enter an invalid API token.

Description

It was seen that after setting up phabricator integration in a program, when trying to escalate a report to phabricator, if the API token entered was invalid in terms of length/authenticity, the error message contains the entered API token.

This was seen when trying to escalate a report using a phabricator instance and previously used API token.

Steps to reproduce

  1. Visit https://hackerone.com/program name/phabricator_integration
  2. Enter an instance URL
  3. Enter the API token incorrectly.
  4. Now navigate to any report you want to escalate.
  5. Click on Edit References.
  6. Click on "Create phabricator task"
  7. Error message will appear with API token.

  8. Invalid token error

{F283480}

  • Invalid length error

{F283481}

Above image contains an API token that was entered incorrectly in terms of length.

Both of the above errors contain the API token that was entered incorrectly.

Fix

  1. One thing to mention is that the integration page does not validate the API token lengths while entering. API token lengths should be checked on integration setting page itself.
  2. Validity of API token should also be checked while saving integration settings itself.

Impact

  1. API tokens are not normally displayed anywhere else after setting up the integration. Team members with limited permissions who normally have no access to such information can see the API tokens.
  2. Mistyped API token like the one below could easily reveal actual API tokens. The mistyped API tokens could be part of actual API tokens.

{F283481}