Reported security bug: Persistent session accessibility in Datahub even after reinstallation

Original Slack Thread

hi, I wanted to report a security bug, if you authentificate in datahub, then even if your reinstall whole datahub completely(in my case docker), the session that is stored in the browser still allows user to be logged in in the new instance of datahub, even though there is no such user at all. It is really serious issue because it probably allows to replicate the session to any other current instance and just be able to see data.

Hi Yerbol! This is because the access token that we had generated for your user must have been still been considered valid, e.g. because the cookie contained a secret that was signed by the same secret that your local datahub instance is using (on both deploys they are same). DataHub Authenticators simply use this token to determine whether a user should be considered “logged in”, independent of whether a user object is materialized inside of datahub (this is by design)

Thank you for the report!

got it, I thought the same. but just wanted to make sure. this is because docker has the same secret all the time. Still, if any company uses standard docker as a production and make the domain public - anyonce could access it by generating the session on another machine. might be a good thing to re-generate it randomly each time.

unless there is a connection to the domain name

  • might be a good idea to check if user even exists in the db as an additional layer of security.