Recent Blockstack Browser Vulnerability Discovery and Mitigation


#1

This week, we discovered a security vulnerability in a recent release of the Blockstack Browser. This vulnerability leaked an authentication token which is used by user’s browser to authenticate with the user’s Gaia hub. This token specifically was used to authenticate writes to a user’s profile object. On discovery, the vulnerability was immediately patched and the hotfix was released as an update the same day. However, in addition to patching the vulnerability, we took steps to invalidate all outstanding authentication tokens. To minimize the disruption caused to applications, we reached out to many application developers with instructions on how to test their applications’ behavior in the face of an invalidation event, and also updates to our SDK which automatically reauthenticate when an authentication token is invalidated.

This vulnerabilty did not leak user private keys or authentication tokens used by applications. This means that an attacker who obtained the leaked authentication token would only be able to delete or roll back a user’s profile to previous versions. They could not impact user’s application data, impersonate users, or decrypt any of a user’s encrypted data.

For future vulnerabilities of this nature, we will handle mitigation and disclosure in a similar way: first, we will patch our software as quickly as possible. Second, if a mitigation would affect applications, we will attempt to notify application developers before such a mitigation goes into effect.

Preventing future bugs like this requires increased code review. Automated tests are not always sufficient to detect information leaks (though in this case, we will be adding JSON schema validation to our automated tests in the browser). This quarter, we are focusing on putting in place guidelines for maintainer code review of PRs and releases. These guidelines will apply not only to community contributions, but to Blockstack employee contributions as well. The intention is to increase the quality assurance for all code in Blockstack projects. In addition to increased code review by maintainers of Blockstack software, we encourage community members to inspect our code on Github (https://github.com/blockstack/) and participate in our bug bounty program at HackerOne (https://hackerone.com/blockstack).


App Mining Rewards Is Totally Broken
Blockstack Team Weekly Updates for 1/7-1/11
#2

Note, the most recent version of blockstack.js allows applications to automatically recover when their authentication tokens become invalid. However, if an application did not upgrade, you may experience strange application behavior. Signing out and signing back into the application should remedy the problem.


#3

Thanks for the transparency and quick patch!