Header shows number of notifications and various other controls on the 2FA auth screen
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	ox
	Jul 21 2015, 6:19 PM

Description

When logging in to Phabricator, with Multifactor Auth turned on (I use Google Authenticator), the page which prompts the MFA token will show number of alerts, number of conpherence alerts, search bar, etc. I feel like these should all be hidden until the user actually auths.

Revisions and Commits

rP Phabricator
	Closed		D18793 Don't show personalized menu items until users establish a full session
		D14922	rP08de131da525 Begin modularizing main menu items

Related Objects
Search...

		Status	Assigned	Task
		Open	epriestley	T8442 Build Space switching UI
		Resolved	epriestley	T8918 Header shows number of notifications and various other controls on the 2FA auth screen

Event Timeline

ox created this task.Jul 21 2015, 6:19 PM

ox raised the priority of this task from to Needs Triage.

ox updated the task description. (Show Details)

ox added projects: Auth, Security.

ox changed the edit policy from "All Users" to "Custom Policy".

ox added a subscriber: ox.

Herald added a subscriber: andypuettmann. · View Herald TranscriptJul 21 2015, 6:19 PM

ox renamed this task from Header shows number of notifications and various other controls on the 2FA screen to Header shows number of notifications and various other controls on the 2FA auth screen.Jul 21 2015, 6:20 PM

Can you construct a plausible scenario where this information is substantially useful to an attacker?

Is this really a case of information being useful to an attacker? Task titles, shown in notifications, can reveal the private tasks that lye within.

Say if Valve used Phabricator and they had a "HL3" task there, If someone subscribed to it got a notification and their account password was compromised elsewhere, whilst being the same pass on Phabricator, it would confirm the existence of HL3.

It's the same reason why you return a 404, instead of a 403 when you don't have permission to view items.

Thankfully clicking the notifications opens a dropdown with "undefined" in it. Maybe tagging with Security was overzealous but every MFA screen I've ever encountered showed no data from the underlying system. At worst it just looks sloppy since half of the features don't return useful data, the custom logo disappears (it's not accessible, therefore doesn't return), etc. Also, like @Lavoaster points out, there could be info in saved searches. This isn't huge, just something that should be fixed eventually.

Custom logos are experimental and not for general use (we note that it's incomplete on the field when you set it). See T4214.

Is this really a case of information being useful to an attacker?

Yes. I'd like to balance the complexity and cost of hiding this information against the value of hiding it.

Task titles, shown in notifications, can reveal the private tasks that lye within.

They can't see any of this without passing MFA. They can only see the notification count.

Say if Valve used Phabricator and they had a "HL3" task there, If someone subscribed to it got a notification and their account password was compromised elsewhere, whilst being the same pass on Phabricator, it would confirm the existence of HL3.

I agree completely that showing task titles would be a problem, and we'd fix it if they were shown. My belief is that we show only counts. I can't come up with a practical scenario where an attacker can gain anything from knowing that you have notifications.