Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security consideration for syncing pcd subscriptions #1402

Open
ichub opened this issue Jan 9, 2024 · 0 comments
Open

security consideration for syncing pcd subscriptions #1402

ichub opened this issue Jan 9, 2024 · 0 comments
Labels
security

Comments

@ichub
Copy link
Contributor

ichub commented Jan 9, 2024
edited
Loading

High level, I believe that subscriptions overall are a powerful (perhaps too powerful) abstraction that as a result of their power are a target for security exploits. Another high level thing I want to call out is that subscriptions are a different sort of thing from PCDs, and syncing them should take into consider different types of failure modes.

For a PCD, the sync failure mode is basically that you lost one.

For a subscription, the sync failure mode is not just losing a subscription - another thing that can fail to sync properly the 'permissions' of a subscription - i.e. what it's allowed to 'write' - and the credential of a subscription - i.e. what it's allowed to 'read' (not sure entirely how the credential system works at this point, but I anticipate it to only become more powerful. @robknight would probably have more thoughts). This is important to consider because subscriptions are essentially Zupass' interface to the external world, and on the other end of a subscription sits a clever and potentially malicious individual who has access to all of their subscribers and who can to some extent 'read' from and 'write to' their Zupasses.

To expedite where I'm going with this I will make an analogy. Imagine it was commonplace for people to have multiple android devices, and that Android provided a native sync functionality that duplicated your data on all the devices. Imagine you have an app like google photos to which you granted 'read' access to all your photos. Then, you used your phone to take pictures of your passport in order to upload them to your company's HR software. In fit of paranoia, you revoke the photos permissions from google photos on one of your devices - why risk having such a sensitive document auto-upload to some server you don't control? Your photos end up synced to your 2nd device, where the permission change was not picked up due to merge working the way it works here, and your passport pics are uploaded anyways. Pwned! Same thing can now happen in Zupass.

Originally posted by @ichub in #1360 (comment)
@ichub ichub added the security label Jan 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ichub