Author
HSCV #001, named "Unauthorised Interoperable Account Access", was a major Security Vulnerability that affected all Hydraulisc-powered platforms, including The Hydraulisc App.
This was a SEVERE Security Vulnerability, to which we highly recommended you change your password(s)!
With HCSV #001, any and all Accounts across any and all Hydraulisc-powered Apps, Websites, etc. were shared publicly.
Specifically, this Security Vulnerability targeted the Hydraulisc Authorisation Authority; the User Manager which handles Users, their related User Objects and any other information regarding the specific User (including email, password, profile image, nickname, last seen status, custom status and trees).
We highly suggest you change your password(s)!
HCSV #001 created a server-side cache which logged new users into new connections under the account of the previously logged in user. As a result, multiple Users, across multiple connections, on various devices, would all be logged into a single account and have full access as if it was their own. This alone raises some serious concerns, as there's a decent amount of damage that can be done by simply being logged in to another user's account (email spoofing, account deletion, password changes, and in some extreme cases, accounts getting banned for violating a platform's rules).
Additionally, HCSV #001 bypassed CAPTCHA's, which allowed the new User to bypass most CAPTCHA challenges thrown at them on that specific platform, and bypassed Password Confirmation prompts, which automatically forced a valid authorisation to the backend, which allowed destructive actions such as password changes, account deletions, and Enabling/Disabling 2-Factor Authorisation.
HCSV #001 also forced all write operations to the Hydraulisc Database to be valid, excluding some restricted actions.
First of all, this is (at the time of writing) no longer a concern. The team at Hydraulisc-Centric Security Vulnerability have agreed that this Security Vulnerability is no longer reproducible.
Previously, the Hydraulisc Authorisation Authority would simply request a valid email and password combination to sign-in any User. The Hydraulisc Authorisation Authority now denies any request that doesn't contain a valid cryptographically-signed key along with the email and password. Furthermore, this cryptographically-signed key is unique to every user and every session, so it will only ever match one user's connection at a time.
Additionally, this cryptographically-signed key is inaccessible to the User and not tied with any data related to the User or User Objects.
This also applies to new Users signing up for an account on any Hydraulisc-powered platform.
As an additional security step, we've also added tokens to cryptographically-signed keys, which expire every 9000 seconds (or two and a half hours).
This means that every two and a half hours, your cryptographically-signed key's token will expire, which means that you will either be logged out or the token will be regenerated (this depends on the platforms implementation of these patches).
Guide: lower number is better. Maximum value of 20, lowest of 1.
| HCSV Code | HCSV #001 |
| Severity | 20 |
| Date uncovered | Sept. 02, 2023 |
| Date patched | Sept. 06, 2023 |
| Paper release | Sept. 12, 2023 |
SleepingAmi