Page MenuHomePhabricator

Header shows number of notifications and various other controls on the 2FA auth screen
Closed, ResolvedPublic

Description

When logging in to Phabricator, with Multifactor Auth turned on (I use Google Authenticator), the page which prompts the MFA token will show number of alerts, number of conpherence alerts, search bar, etc. I feel like these should all be hidden until the user actually auths.

Event Timeline

ox raised the priority of this task from to Needs Triage.
ox updated the task description. (Show Details)
ox added projects: Auth, Security.
ox changed the edit policy from "All Users" to "Custom Policy".
ox added a subscriber: ox.
ox renamed this task from Header shows number of notifications and various other controls on the 2FA screen to Header shows number of notifications and various other controls on the 2FA auth screen.Jul 21 2015, 6:20 PM

Can you construct a plausible scenario where this information is substantially useful to an attacker?

Is this really a case of information being useful to an attacker? Task titles, shown in notifications, can reveal the private tasks that lye within.

Say if Valve used Phabricator and they had a "HL3" task there, If someone subscribed to it got a notification and their account password was compromised elsewhere, whilst being the same pass on Phabricator, it would confirm the existence of HL3.

It's the same reason why you return a 404, instead of a 403 when you don't have permission to view items.

Thankfully clicking the notifications opens a dropdown with "undefined" in it. Maybe tagging with Security was overzealous but every MFA screen I've ever encountered showed no data from the underlying system. At worst it just looks sloppy since half of the features don't return useful data, the custom logo disappears (it's not accessible, therefore doesn't return), etc. Also, like @Lavoaster points out, there could be info in saved searches. This isn't huge, just something that should be fixed eventually.

Custom logos are experimental and not for general use (we note that it's incomplete on the field when you set it). See T4214.

Is this really a case of information being useful to an attacker?

Yes. I'd like to balance the complexity and cost of hiding this information against the value of hiding it.

Task titles, shown in notifications, can reveal the private tasks that lye within.

They can't see any of this without passing MFA. They can only see the notification count.

Say if Valve used Phabricator and they had a "HL3" task there, If someone subscribed to it got a notification and their account password was compromised elsewhere, whilst being the same pass on Phabricator, it would confirm the existence of HL3.

I agree completely that showing task titles would be a problem, and we'd fix it if they were shown. My belief is that we show only counts. I can't come up with a practical scenario where an attacker can gain anything from knowing that you have notifications.

there could be info in saved searches

Ah, sure. This is a plausible scenario where we leak useful information. I'll fix this.

epriestley triaged this task as Normal priority.Jul 22 2015, 1:29 PM

(This was incorrectly closed by the text "doesn't actually fix T8918" in rP08de131da525.)

I fumbled the task ID in D18793, but this should be resolved by that change.