UPDATE - the fluxgain Like Lite for salesforce chatter has now passed the salesforce appexchange security review
So we had the appexchange security review feedback for fluxgain Like Lite app last Thursday (25/04/13), the app has been in review for 6 weeks so it has had lots of time to be throughly tested. We thought we would share the items on the feedback and how we have updated the app accordingly. The app was re-submitted yesterday (29/04/13) for a follow up appexchange security review so hopefully we will get the public listing on the appexchange soon.
The appexchange security review identified the following areas for rework:
- Open redirect
- Abuse of functionality
- Weak SSL configuration
After a couple of email exchanges and having a security office hours session we had a plan in place to address the rework areas of the app. So in reverse order with more detail about the security issue and how we fixed it.....
Weak SSL configuration
Weak SSL configuration was rated as low severity by the appexchange security review for our app.
All HTML pages from the fluxgain Like app go over HTTPS (we even block HTTP page requests in the code) to ensure information is sent securely over the internet. We use a vanity url chatter.fluxgainlike.com for the HTTPS communication, which must have a SSL/certificate set up. To see how websites configure their SSL/certificates there is a handy SSL Server Test application at Qualys.
Some examples of websites analysed by Qualys:
When we ran the SSL Server Test against chatter.fluxgainlike.com a certificate chaining order issue was shown in the results. When a web site needs to prove its identity with its certificate a chain of trust must be shown between the web site and the Root Certificate Authority. So the Root Certificate Authority trusts A, A trusts B, B trusts C, C trusts D, etc until Z trusts the web site. The chains aren't normally long and who trusts who is recorded in the certificate chaining order.
By following step 2 in Ryan McGeary's blog post about adding SSL certifcates to Heroku we updated our certificates chain so the certificate were in the right order.
Abuse functionality was rated as medium severity by the appexchange security review for our app.
We recently added the ability to show whether a user had already liked a web page and changed the actions they could do accordingly. So if a web page had not been liked the user actions could be either "like only" or "like and comment". If the web page had been already liked then the users action could "comment only".
While the app checks every incoming parameter to see if it is the correct format, values, etc to avoid issues such as cross-site scripting attacks, it did not check the actions ( "like only", "like and comment" and "comment only" ) against whether the web page had been already liked.
So if a user decided to manually alter the web page request then a "fluxgain Like" could be commented on without first being liked. We updated the app to now compare the actions against the already liked value and return a 400 bad request web page if an invalid combination was found.
Open redirect was rated as medium severity by the appexchange security review for our app.
The fluxgain Like app at a basic level used to take a url supplied to it (via the fluxgain Like button for example) do some processing on it and then update the current page to the url supplied to it (not the web page url that the fluxgain Like button located on, however in most cases they would be the same). A malicious web site where the like button is located could pass in a phishing url that is not the current page, this phising url could be used to obtain sensitive information. So when the user exits the fluxgain Like app they would be on the phising website.
The app already shows the url that is being liked to help avoid this happening, however given the comments from the appexchange security review team we decided to not update the current web page so avoid the redirect issue. We looked at how the twitter/facebook/linkedin like/share buttons work and saw that they create a new window for their processing, so we decided to follow that design approach as well.
The app now opens a new browser window to do the processing in and when it is finished the window is closed down, thus leaving the original web page alone. The only thing updated on the original web page is the like button which reflects the updated like count.
Given that salesforce applications contain sensitive information and that fluxgain Like interacts with salesforce we thought we would share some of the ways that the app is made secure. The updating of the app based on the appexchange security review shows the type of feedback we get and how we act on it. If you believe there are other potential security threats to the app please contact us.
This blog showed some of the ways that the fluxgain Like app is secured for salesforce users and does not cover things such as connected apps, principle of least privilege for oauth, and cryptographic nonces which the app also uses.