OpenStreetMap
OpenStreetMap Website Vulnerability Report
Posted by NorthCrab on 15 March 2024 in English. Last updated on 18 March 2024.As part of my commitment to OpenStreetMap-NextGen migration, I undertook a comprehensive security review of the existing OpenStreetMap website. I followed the principles of coordinated vulnerability disclosure, working directly with the maintainers to responsibly report my findings. Today, I’m making the details of this process public and verifying the status of the fixes.
Disclosure Timeline
- 2023-11-04 - Contacted Ruby security maintainers & disclosed the timeline publicly
- 2023-11-08 - Maintainers acknowledged the report
- 2023-12-04 - Reported additional vulnerabilities with a 3-month deadline
- 2023-12-06 - Maintainers acknowledged the additional report
2024-03-02 - Publicize vulnerability details- 2024-03-15 - Publicize vulnerability details
1. Plain-Text Authentication Token Storage
Authorization tokens (oauth, session, user tokens) are stored in plain text. Read access to the database allows full impersonation of any user.
Status as of 2024-03-15: Partially vulnerable (oauth still depends on plain text storage)
NextGen Codebase Status: Fixed (all authorization tokens and credentials are hashed or encrypted for secure storage)
2. Insecure Email Reply Address Tokenization
The tokens used to ensure the authenticity of email replies are too short (24-bit), making them susceptible to brute-force attacks. An attacker could potentially guess the token and impersonate a legitimate user in email conversations. This vulnerability is especially dangerous if the attacker already has access to a conversation’s metadata (allowing for complete security bypass).
Status as of 2024-03-15: Fixed (now with 48-bit security)
NextGen Codebase Status: Fixed (128 or 256-bit security; undecided)
3. Unbounded GPX Extraction Denial of Service
The OpenStreetMap website does not impose limits on the number of files that can be extracted from a GPX archive. Attackers can exploit this by uploading specially crafted archives containing a massive number of files, potentially overwhelming the system and causing it to crash.
Status as of 2024-03-15: Mostly vulnerable (a partial fix limits points within trace files but does not fully address the issue)
NextGen Codebase Status: Fixed
4. Notes Search Query Denial of Service
The /api/0.6/notes/search endpoint is poorly optimized. This allows attackers to craft specific search queries that are extremely resource-intensive, effectively using the search feature to launch a denial of service attack.
Status as of 2024-03-15: Vulnerable
NextGen Codebase Status: Not yet tested
5. String Comparison Timing Attack
The way the code compares strings can, under certain circumstances, leak timing information. When attackers can carefully measure these timing differences, they might be able to extract secret information, such as security keys and tokens.
Status as of 2024-03-15: Fixed
NextGen Codebase Status: Fixed
6. User Block and Rate Limit Bypass
A loophole exists where a malicious user can repeatedly delete and recreate their account (using the same credentials) to circumvent security measures like user blocks and rate limits.
Status as of 2024-03-15: Fixed
NextGen Codebase Status: Not yet tested
7. Application Preference Leakage
OpenStreetMap allows different applications to store user preferences. A flaw exists where any application can access preferences created by a different application. This could leak information, and might be abused to attack other vulnerable applications that mistakenly trust data stored in user preferences.
Status as of 2024-03-15: It’s intended behavior
NextGen Codebase Status: Fixed (in API 0.7; via optional preference partitioning)
8. Unrestricted Email Checking via Password Recovery
The password recovery feature can be abused to check if any arbitrary email address is associated with an OpenStreetMap account.
Status as of 2024-03-15: Fixed
NextGen Codebase Status: Fixed
9. Forced Downgrade from OAuth1.0a to OAuth1.0
Under specific conditions, the authentication protocol can be downgraded from the more secure OAuth1.0a to the less secure OAuth1.0. This downgrade would omit important security checks.
Status as of 2024-03-15: Fixed
NextGen Codebase Status: Fixed
10. Insufficient User Token Integrity Checks
Tokens, used for things like password resets or confirming email changes, aren’t properly differentiated. An attacker might be able to use a password reset token to change an email address, or vice-versa.
Status as of 2024-03-15: Fixed
NextGen Codebase Status: Fixed
11. Inadequate Randomness Source in Token Generation
The system generating security tokens relies on a weak source of randomness. Predictable tokens are much easier for attackers to guess or manipulate.
Status as of 2024-03-15: Fixed
NextGen Codebase Status: Fixed
12. Unicode Normalization Flaw Allowing Email/Display Name Duplication
The lack of Unicode normalization means a user can register with an email address or display name that is identical to an existing one (but uses different Unicode characters). This could be used to trick users or bypass database restrictions.
Status as of 2024-03-15: Fixed
NextGen Codebase Status: Not yet tested
Support the NextGen development
I work on the OpenStreetMap-NextGen full-time. If you find my work valuable, please consider supporting the development on Liberapay or GitHub. Every contribution helps push us closer to that first stable release. Thank you! 🦀
And a huge thank you to those who have already supported me!
Submit a correction
If you find any inaccuracies or have suggestions to improve this diary, please feel free to contact me via https://monicz.dev/#get-in-touch.
Disclaimer
Please note that this project is not affiliated with the OpenStreetMap Foundation. It’s the result of my voluntary work and personal choices.
Discussion
Comment from mmd on 15 March 2024 at 16:33
Thanks a lot for looking into this and disclosing the issues in a responsible manner. A few comments on some of the remaining open ones:
By the way, I’m a bit surprised not to see any Javascript of CSRF issues (we’ve been fixing some of these in the past). Is this still to come?
Comment from NorthCrab on 15 March 2024 at 16:42
Hey, I did not review the HTML templates. The application already has a well defined CSP so impact of such issues would be close to none.
Comment from gileri on 16 March 2024 at 10:21
Hi, thank you for the analysis and report !
Comment from Andy Allan on 18 March 2024 at 10:02
I just want to jump in here and publicly say thank you for these reports, and for giving us time to fix them. Tom and I spent time during the recent Karlsruhe Hack Weekend to go through your reports and make sure that we had addressed them all, and I’m sorry I didn’t get back to you before your disclosure deadline. It looks like you’ve been watching what we were doing anyway since your report is pretty accurate!
One small correction to your report is about “new user tokens system are still using plain text storage” - this isn’t quite accurate. We removed our UserTokens system in https://github.com/openstreetmap/openstreetmap-website/pull/4535 and moved to using a standard Rails token feature: https://edgeapi.rubyonrails.org/classes/ActiveRecord/TokenFor/ClassMethods.html
This feature doesn’t store the tokens anywhere - plaintext or otherwise. They are signed tokens, so the tokens can be sent to users and verified when they are used, without storing anything in the database or elsewhere on the servers.
I’d be happy to see any more bug reports that you come across, and I also invite you to work with us on the main openstreetmap-project directly on these kind of things.
Comment from NorthCrab on 18 March 2024 at 10:23
@Andy Allan, I have added the correction. I am Ruby-noob and when I originally reviewed this ActiveRecord class I misunderstood how it works. The new system makes a lot of sense, I like it!
I am currently super-focused on the NextGen development as I want to reach the stable-ish release and invite new contributors to join in. I don’t know Ruby at all so I would be quite useless in contributing to the current codebase.
However, I see a great starting point for collaboration that would benefit both projects. I would need to get some help with benchmarking the openstreetmap-website project. The current deployment documentation seems to be slightly outdated and I failed to reproduce the official deployment scenario. This could additionally involve writing scripts for populating database with test user data etc. Basically something that will make the benchmarks more realistic in terms of database index usage.
Comment from Andy Allan on 18 March 2024 at 10:57
Even if you don’t want to learn Ruby (and I don’t think you need to know much ruby to contribute, it’s a pretty straightforward codebase without much complex code) then I’m sure you know there’s plenty of other parts of the site like the html, icons, css etc that you could directly contribute to.
I’ve noticed a few UI changes that you’ve tried out on your own codebase, and it would be great to see these kinds of things included in the main project so that our mappers can benefit from them in production. So if you want to make some PRs then I’d be happy to review them. You know what changes you’ve made so you’re in a good position to contribute them to the upstream project!