Security: The Bitbucket refresh tokens are not encrypted and stored in DB #23
Labels
Help Wanted
Community help wanted
Type/Enhancement
New feature or improvement of existing feature
Up For Grabs
Ready for help from the community. Removed when someone volunteers
Comments
jfrerich
added
Difficulty/2:Medium
hanzei
added
the
Needs Mattermost Changes
hanzei
added
Help Wanted
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
From comment #5 (review)
1) The Bitbucket refresh tokens are not encrypted and stored in DB
Severity: High
Steps:
When a user connects to a bitbucket account, the connection refresh_token is stored as plain text in DB. This value is not encrypted and stored.
As a result, anyone can obtain a new access_token and the point of having an encrypted access_token in DB will be lost.
curl -X POST -u "key:secret" https://bitbucket.org/site/oauth2/access_token -d grant_type=refresh_token -d refresh_token=refresh_token
Since a Bitbucket comprises of a user's personal account also, anyone who possesses this info from DB, can access user's other private repositories not supposed to be shared.
The text was updated successfully, but these errors were encountered: