When logging in to Phabricator, with Multifactor Auth turned on (I use Google Authenticator), the page which prompts the MFA token will show number of alerts, number of conpherence alerts, search bar, etc. I feel like these should all be hidden until the user actually auths.
Description
Revisions and Commits
Status | Assigned | Task | ||
---|---|---|---|---|
Open | epriestley | T8442 Build Space switching UI | ||
Resolved | epriestley | T8918 Header shows number of notifications and various other controls on the 2FA auth screen |
Event Timeline
Can you construct a plausible scenario where this information is substantially useful to an attacker?
Is this really a case of information being useful to an attacker? Task titles, shown in notifications, can reveal the private tasks that lye within.
Say if Valve used Phabricator and they had a "HL3" task there, If someone subscribed to it got a notification and their account password was compromised elsewhere, whilst being the same pass on Phabricator, it would confirm the existence of HL3.
It's the same reason why you return a 404, instead of a 403 when you don't have permission to view items.
Thankfully clicking the notifications opens a dropdown with "undefined" in it. Maybe tagging with Security was overzealous but every MFA screen I've ever encountered showed no data from the underlying system. At worst it just looks sloppy since half of the features don't return useful data, the custom logo disappears (it's not accessible, therefore doesn't return), etc. Also, like @Lavoaster points out, there could be info in saved searches. This isn't huge, just something that should be fixed eventually.
Custom logos are experimental and not for general use (we note that it's incomplete on the field when you set it). See T4214.
Is this really a case of information being useful to an attacker?
Yes. I'd like to balance the complexity and cost of hiding this information against the value of hiding it.
Task titles, shown in notifications, can reveal the private tasks that lye within.
They can't see any of this without passing MFA. They can only see the notification count.
Say if Valve used Phabricator and they had a "HL3" task there, If someone subscribed to it got a notification and their account password was compromised elsewhere, whilst being the same pass on Phabricator, it would confirm the existence of HL3.
I agree completely that showing task titles would be a problem, and we'd fix it if they were shown. My belief is that we show only counts. I can't come up with a practical scenario where an attacker can gain anything from knowing that you have notifications.
there could be info in saved searches
Ah, sure. This is a plausible scenario where we leak useful information. I'll fix this.
(This was incorrectly closed by the text "doesn't actually fix T8918" in rP08de131da525.)