UPDATE - the fluxgain Like Lite for salesforce chatter has now passed the salesforce appexchange security review

So we had the appexchange security review feedback for fluxgain Like Lite app last Thursday (25/04/13), the app has been in review for 6 weeks so it has had lots of time to be throughly tested. We thought we would share the items on the feedback and how we have updated the app accordingly. The app was re-submitted yesterday (29/04/13) for a follow up appexchange security review so hopefully we will get the public listing on the appexchange soon.

The appexchange security review identified the following areas for rework:

  1. Open redirect
  2. Abuse of functionality
  3. Weak SSL configuration

After a couple of email exchanges and having a security office hours session we had a plan in place to address the rework areas of the app. So in reverse order with more detail about the security issue and how we fixed it.....

Weak SSL configuration

Weak SSL configuration was rated as low severity by the appexchange security review for our app.

All HTML pages from the fluxgain Like app go over HTTPS (we even block HTTP page requests in the code) to ensure information is sent securely over the internet. We use a vanity url chatter.fluxgainlike.com for the HTTPS communication, which must have a SSL/certificate set up. To see how websites configure their SSL/certificates there is a handy SSL Server Test application at Qualys.

Some examples of websites analysed by Qualys:

When we ran the SSL Server Test against chatter.fluxgainlike.com a certificate chaining order issue was shown in the results. When a web site needs to prove its identity with its certificate a chain of trust must be shown between the web site and the Root Certificate Authority. So the Root Certificate Authority trusts A, A trusts B, B trusts C, C trusts D, etc until Z trusts the web site. The chains aren't normally long and who trusts who is recorded in the certificate chaining order.

By following step 2 in Ryan McGeary's blog post about adding SSL certifcates to Heroku we updated our certificates chain so the certificate were in the right order.

Abuse functionality

Abuse functionality was rated as medium severity by the appexchange security review for our app.

We recently added the ability to show whether a user had already liked a web page and changed the actions they could do accordingly. So if a web page had not been liked the user actions could be either "like only" or "like and comment". If the web page had been already liked then the users action could "comment only".

While the app checks every incoming parameter to see if it is the correct format, values, etc to avoid issues such as cross-site scripting attacks, it did not check the actions ( "like only", "like and comment" and "comment only" ) against whether the web page had been already liked.

So if a user decided to manually alter the web page request then a "fluxgain Like" could be commented on without first being liked. We updated the app to now compare the actions against the already liked value and return a 400 bad request web page if an invalid combination was found.

 

Already Liked web page

Already Liked web page

Open redirect

Open redirect was rated as medium severity by the appexchange security review for our app.

The fluxgain Like app at a basic level used to take a url supplied to it (via the fluxgain Like button for example) do some processing on it and then update the current page to the url supplied to it (not the web page url that the fluxgain Like button located on, however in most cases they would be the same). A malicious web site where the like button is located could pass in a phishing url that is not the current page, this phising url could be used to obtain sensitive information. So when the user exits the fluxgain Like app they would be on the phising website.

The app already shows the url that is being liked to help avoid this happening, however given the comments from the appexchange security review team we decided to not update the current web page so avoid the redirect issue. We looked at how the twitter/facebook/linkedin like/share buttons work and saw that they create a new window for their processing, so we decided to follow that design approach as well.

The app now opens a new browser window to do the processing in and when it is finished the window is closed down, thus leaving the original web page alone. The only thing updated on the original web page is the like button which reflects the updated like count.

Wrap up

Given that salesforce applications contain sensitive information and that fluxgain Like interacts with salesforce we thought we would share some of the ways that the app is made secure. The updating of the app based on the appexchange security review shows the type of feedback we get and how we act on it. If you believe there are other potential security threats to the app please contact us.

This blog showed some of the ways that the fluxgain Like app is secured for salesforce users and does not cover things such as connected apps, principle of least privilege for oauth, and cryptographic nonces which the app also uses.

About Mark Sivill

Mark Sivill has written 14 blogs on fluxgain.

Looking for interesting projects to undertake within IT. Currently focused around cloud technologies such as salesforce and Heroku.

  • http://saqibali.net/ Saqib Ali

    very nice. does the appexchange security review also cover the amazon storage need for this app? i have run into a situation where the app was fairly secure, but the security controls on their Amazon storage were not good. Bucket ACLs etc...

    • http://twitter.com/fluxgain fluxgain

      Details of what was undertaken during the security review were not shared with us. We have however shared how we use Heroku for the app. The app is built on Heroku and the app itself does not directly interact with Amazon services. However I know that Heroku does use Amazon under the covers and things like security controls for their Amazon storage usage is in their domain.

      We chose to host the app on Heroku as it is owned by Salesforce and believe Salesforces reputation around security of customer data is very good. I found a reference to Herokus security policy at https://policy.heroku.com/security

      We have thought about using Amazon CloudFront going forward with the app to help with performance, but this would be to store public static assets only and not customer data.

      • http://saqibali.net/ Saqib Ali

        so you guys are not using amazon directly.

        what type of datastore are you using on heroku?

        • http://twitter.com/fluxgain fluxgain

          Correct no direct access to amazon services.

          Currently we are using PostgreSQL RDBMS for the datastores, which is also provided by Heroku as an add-on.

          Going forward we may also look to use some NoSQL datastores such a Redis to store some information outside of the RDBMS for performance reasons.

        • Mark Sivill

          We have successfully gone through the appexchange security review for fluxgain Like the chatter like button and are now listed on the appexchange at https://appexchange.salesforce.com/listingDetail?listingId=a0N30000009xXVfEAM

          Please contact me directly if you want to go into further details about it.

          Thanks

          Mark

          • http://saqibali.net/ Saqib Ali

            Hello Mark,

            I will surface the idea again with our portal management team.

            Thanks.

          • http://saqibali.net/ Saqib Ali

            Hello Mark,

            While reviewing the Like button our team noticed that each Like creates a new posts in Chatter. That could get cumbersome in the Chatter feed. Is there a way to aggregate all comments into one Chatter post?

            Thanks.

          • Mark Sivill

            Hi,

            Currently all likes against the same page (in the same org) should all be added to the same chatter post. Its worth double checking that the url is the same across requests in case some unique reference number is getting in there.

            Going forward we are thinking about splitting the likes into individual chatter posts. Looking at how facebook and google tackle it this it would be more in line which their approach. This also addresses the issue of the email notification with the current approach which means people don't notified when other people like the same page.

            Facebook currently uses a filtering system that can filter out likes from the facebook wall. I'm not sure where salesforce is with this type of functionality.

            We also have some other roadmap items which may help tackle this issue. Happy to have a direct chat with you when you've finished your evaluation to cover these points off.

            Thanks

            Mark

  • http://saqibali.net/ Saqib Ali

    Mark,

    Will you be offering more favorable pricing for the fluxgain like plus for large enterprises (10,000+ users)

    Saqib

    • Mark Sivill

      Hi Saqib,

      Please contact me directly (details on contact page) when you are ready to discuss pricing.

      Thanks

      Mark