Authors
HSCV #002, titled "Illegal Account Re-Activation", was a minor yet impactful database error that affected the Hydraulisc Authorisation Authority, the User Manager which handles Users, their related User Objects and any other information regarding the specific User (including email, password, profile image, banner, nickname, last seen status, custom status and trees). Inherently, this also affected all Hydraulisc-powered platforms, including The Hydraulisc App, that relied on the Hydraulisc Native Authorisation Manager.
This was a MINOR Security Vulnerability, which has already been patched.
With HCSV #002, any Accounts that had been deleted, suspended or otherwise forcefully logged out of by a server side cache purge, could stay logged in and perform some actions.
Specifically, this Security Vulnerability targeted the Hydraulisc Authorisation Authority (the User Manager which handles Users, their related User Objects and any other information regarding the specific User including email, password, profile image, nickname, last seen status, custom status and trees).
The issue persisted for only a few days before the reason was uncovered and a patch was deployed.
HCSV #002 abused the sessionID token handed to the Client connected to any Hydraulisc Platform, and issued a valid login status to the Hydraulisc Database, telling both that the User was still authorised, without requesting any confirmation from the Hydraulisc Authorisation Authority.
HCSV #002 also allowed 'create' operations to the Hydraulisc Database to be valid, making it so that a deleted, suspended or otherwise logged out User could still upload content or create new Posts.
HCSV #002 did not allow for update or delete operations to be performed.
Please note, the team at Hydraulisc-Centric Security Vulnerability have agreed that this Security Vulnerability is no longer reproducible.
Previously, the Hydraulisc Database and several Hydraulisc-powered Apps which relied on Hydraulisc's native User Manager, the Hydraulisc Authorisation Authority, relied on its core functionality to handle Users and their related User Objects, therefore handling Authorisation and allowing or denying read/write operations as a whole.
This Security Vulnerability was caused due to a three way handshake misconfiguration, which has now been patched.
As an additional security step, we've also reinforced tokens to cryptographically-signed keys, which expire every 9000 seconds (or two and a half hours).
We added a security measure (DMS - Dead Man's Switch) to the regeneration process, which automatically wipes the tokens and their corresponding keys in the event of a regeneration failure.
Guide: Severity Numbers. Lower is better. Maximum value of 20, lowest of 1.
| HCSV Code | HCSV #002 |
| Severity | 7 |
| Date uncovered | Jan. 13, 2024 |
| Date patched | Jan. 15, 2024 |
| Paper release | Mar. 14, 2024 |
SleepingAmi
PlutarianReal123