HCSV #002 - Illegal Account Re-Activation

This paper goes over the Hydraulisc-Centric Security Vulnerability No.2 (HCSV #002)

HCSV #002, titled "Illegal Account Re-Activation", was a minor yet impactful database error that affected the Hydraulisc Authorisation Authority, the User Manager which handles Users, their related User Objects and any other information regarding the specific User (including email, password, profile image, banner, nickname, last seen status, custom status and trees). Inherently, this also affected all Hydraulisc-powered platforms, including The Hydraulisc App, that relied on the Hydraulisc Native Authorisation Manager.

This was a MINOR Security Vulnerability, which has already been patched.

Skip to

• Explanation: What is HCSV #002
• HCSV #002 Solution
• Technical Spreadsheet

HCSV #002 - An in-depth explanation

With HCSV #002, any Accounts that had been deleted, suspended or otherwise forcefully logged out of by a server side cache purge, could stay logged in and perform some actions.

Specifically, this Security Vulnerability targeted the Hydraulisc Authorisation Authority (the User Manager which handles Users, their related User Objects and any other information regarding the specific User including email, password, profile image, nickname, last seen status, custom status and trees).

The issue persisted for only a few days before the reason was uncovered and a patch was deployed.

HCSV #002 abused the sessionID token handed to the Client connected to any Hydraulisc Platform, and issued a valid login status to the Hydraulisc Database, telling both that the User was still authorised, without requesting any confirmation from the Hydraulisc Authorisation Authority.

HCSV #002 also allowed 'create' operations to the Hydraulisc Database to be valid, making it so that a deleted, suspended or otherwise logged out User could still upload content or create new Posts.

HCSV #002 did not allow for update or delete operations to be performed.

HCSV #002 - What has been done

Please note, the team at Hydraulisc-Centric Security Vulnerability have agreed that this Security Vulnerability is no longer reproducible.

• Minor code refactoring to optimize persistent authorisation.

Previously, the Hydraulisc Database and several Hydraulisc-powered Apps which relied on Hydraulisc's native User Manager, the Hydraulisc Authorisation Authority, relied on its core functionality to handle Users and their related User Objects, therefore handling Authorisation and allowing or denying read/write operations as a whole.

This Security Vulnerability was caused due to a three way handshake misconfiguration, which has now been patched.

• Reinforced token regenerator for cryptographically-signed keys

As an additional security step, we've also reinforced tokens to cryptographically-signed keys, which expire every 9000 seconds (or two and a half hours).

We added a security measure (DMS - Dead Man's Switch) to the regeneration process, which automatically wipes the tokens and their corresponding keys in the event of a regeneration failure.

Technical Spreadsheet

Guide: Severity Numbers. Lower is better. Maximum value of 20, lowest of 1.