-
-
Notifications
You must be signed in to change notification settings - Fork 79
Securing your Interactions with Third Party APIs
When registering for an API to use in Scrummage please consider the following:
- Don't register for an API using a personal account or using a business account used to perform other operations, for example:
- A social media account used by marketing to post content representing the organisation.
- Your personal social media account used to keeping in touch with friends.
- Follow the principal of least privilege. Some API registrations have a series of roles that need to be requested to perform certain operations. Put simply, only obtain the necessary permissions needed by Scrummage to run searches.
API keys and secrets are stored in a plaintext config.json file, which before worrying about, read the justification for this decision on the wiki page The Long List of Tasks "Note about securing the config.json file" section. However, considerations need to be taken to ensure that the system where Scrummage is running and these secrets are stored, is secured. While this isn't a full guide on system-hardening, please consider the following:
- The
config.jsonfile already has ownership restricted to the account used to install Scrummage and only the owner can read it. If you are using the docker image this account is root. Installing the application as root is advisable if done manually, but ensure root access is heavily restricted via something like a PAM solution.
Below is a table of identified security weaknesses in the third-party Platforms integrated with Scrummage. Developers of the Scrummage project have no control over the way these Platforms work, but we can at least list them. If you are uncomfortable with the security weaknesses identified, we can only recommend you avoid using the affected tasks.
| Vulnerability Title | Affected Plugin | Affected Third-Party Platform | Description | Risk |
|---|---|---|---|---|
| Use of insecure hashing algorithm | OK_Search.py | Odnoklassniki (Russian Social Media Platform) | The API required to query information on the Russian Social Media site Odnoklassniki (A.K.A OK) includes a signature that uses the insecure MD5 hashing algorithm. Ideally they should use a more secure algorithm like SHA256. | Low |
| Use of insecure hashing algorithm | Gravatar_Search.py | Gravatar | To search Gravatar, the provided email address needs to be hashed using the MD5 algorithm, this doesn't impact the Scrummage platform, but the risk could mean searching for one email's Gravatar could result in that of another email due to MD5 collisions. Ideally they should use a more secure algorithm like SHA256. | Low |
| Try, Except, Pass | DNS_Recon_Search.py | Python library: checkdmarc | The checkdmarc library uses the pass command when an exception is thrown. This is considered a bad programming practice. After thorough analysis no security risk is presented as a result of this being present in the library. | Informational |