Rethink API authentication
An extern security researcher partly reviewed the authentication method used in Heart and said:
SHA-256 and SHA-512 are not designed to be used for saving passwords. Why does Heart not simply uses things like PBKDF2 or bcrypt?
In another part of the text I wrote:
I have decided to do not implement actions against replay attacks and instead advise all users of Heart to make it available only under HTTPS.
His comment was:
HTTPS is only reducing the danger of replay attacks.
Currently, authentication works like this:
- User's username and password gets hashed with SHA-256 -> authentication key
- User sends request to Heart with authentication key as (query) parameter
dataHash
- Heart generates SHA-512 hash of authentication key
- Heart receives authentication groups of authentication key with a simple SELECT:
SELECT * FROM lb_0_authentication WHERE _key LIKE '$key' LIMIT 1
- Heart decides based on authentication group if user is allowed to execute desired action
This does not seem like there is a vulnerability in the logic, but instead of doing it like this LegionBoard should build on more mature solutions designed by experts. More information: