No Data Security?

Moderators: adafruit_support_bill, adafruit

Forum rules
If you're posting code, please make sure your code does not include your Adafruit IO Active Key or WiFi network credentials.
Locked
User avatar
jdeptuck
 
Posts: 2
Joined: Wed Apr 04, 2018 12:43 pm

No Data Security?

Post by jdeptuck »

I feel I must be missing something here because it seems I'm able to delete or manipulate any shared data using curl without any sort of authentication key.

I have my data feeds shared and everything works as expected.

From a completely separate machine I can run the following command....

Code: Select all

curl -s "https://io.adafruit.com/api/v2/<myid>/feeds"
As expected it returns my public feeds.

I can run the following command...

Code: Select all

curl -s "https://io.adafruit.com/api/v2/<myid>/feeds/<feedkey>/data"
As expected it returns data from my public feed.

This is where it gets unexpected. I can run the following command...

Code: Select all

curl -s -X DELETE "https://io.adafruit.com/api/v2/<myid>/feeds/<feedkey>/data/<data point id>"
And without any authentication or authorization, it will remove that datapoint from my dataset.


Is this operating as designed? Am I missing something obvious?

thanks!

User avatar
abachman
 
Posts: 352
Joined: Mon Feb 01, 2010 12:48 pm

Re: No Data Security?

Post by abachman »

Hi jdeptuck,


I'm not able to duplicate that on io.adafruit.com. It's definitely not by design.

A few questions: are you able to reproduce it with a new feed? Do you remember the ID of the data point that you deleted? How much data was in the feed when you ran the `curl -X DELETE` command?


- adam

User avatar
jdeptuck
 
Posts: 2
Joined: Wed Apr 04, 2018 12:43 pm

Re: No Data Security?

Post by jdeptuck »

Hi Adam.

Thanks for the reply, strangely I'm not able to reproduce this anymore. This was the series of commands I ran when I did this....

Code: Select all

curl -s "https://io.adafruit.com/api/v2/jdeptuck/feeds/humidity/data/first"
curl -s "https://io.adafruit.com/api/v2/jdeptuck/feeds/humidity/data/0DTY2AWXKJB34Q1YT43W9YSYYC"
curl -X DELETE -s "https://io.adafruit.com/api/v2/jdeptuck/feeds/humidity/data/0DTY2AWXKJB34Q1YT43W9YSYYC"
curl -s "https://io.adafruit.com/api/v2/jdeptuck/feeds/humidity/data/0DTY2AWXKJB34Q1YT43W9YSYYC"
The last command resulted in a 404 and the data was gone.

I have since that time flipped my feeds over to private, and then back to public. Perhaps this reset something.


I also had an odd issue where I would run "curl https://io.adafruit.com/api/v2/<other user>/feeds/<other feed>/data/first" and it actually flipped his entire feed from public to private. It was scary. Ran the command once, data was there, ran it again, and the whole feed was gone. The user logged in to his account and found his feeds were all there, just no longer public.

User avatar
abachman
 
Posts: 352
Joined: Mon Feb 01, 2010 12:48 pm

Re: No Data Security?

Post by abachman »

Yeah, super weird. You should definitely never be able to delete data you don't own, whether you're signed in or not. I'm going to run through everything and make sure there's not an edge case we're missing. I would be a first, but there's always a first time. I have a lead on the root cause, but it will take more research.

Regarding the public / private flip, it's possible that's a caching bug, we've seen that in the past with the MQTT API. We were aggressively caching feed lookups which could, in certain situations, result in reverting visibility settings when a value was published within a certain number of seconds from the setting being changed. Since the data first/next/last/previous API endpoints are stateful in a similar way (due to their stream processing nature) they're probably hitting the same bug. Not awful when it flips public -> private, pretty awful when it flips the other way. I'm researching this now too.

I'll post an update here when I have a fix for these.


- adam

Locked
Forum rules
If you're posting code, please make sure your code does not include your Adafruit IO Active Key or WiFi network credentials.

Return to “Internet of Things: Adafruit IO and Wippersnapper”