[Closed] Security of Brave Publishers Payment page inadequate


#1

As best as I can tell, anyone who ever figures out the “https://publishers.brave.com/publishers/…” link to the Brave Publishers Payment page for a website that I administer can click on that link and change the Bitcoin payment address to a wallet of their choosing.

Fortunately, the income stream for my site is very, very, small, so little would be lost. But I can imagine that larger sites would not be amused to have their Brave income stream stolen so easily.

There was one or two other such low-security links that I encountered, while verifying this site for Brave payments, but at least those links were only transiently valuable, not “forever”.


#2

Hi there,

This is a great concern and we definitely need to address it :slight_smile: We’ve captured an issue which you can track here:

I’m going to personally try to get this resolved within the next week or two. Stay tuned

Thanks
Brian


#3

Hopefully you’re making some progress on this … I’m still using that original link that I got a couple of months ago now to access my brave.com/publishers/home page for my website.

It’s worse than just letting anyone who might steal that link then steal all my incoming Brave payments.

Such a thief could also steal a look at my W-9 Tax Form, which would be a good start on identity theft.

I actually don’t think that making that link timeout after N days is sufficient. I think that this requires at least password level security (and/or Steve Gibson’s “any month now” SQRL .) If I actually had any significant Brave income or any identity worth stealing, I would refuse to even participate in this current apparatus.


#4

Hi @ThePythonicCow,

I dropped the ball on this, thanks for reaching back out

The points you bring up are great; right now, if someone has their email compromised, there is no automated way to lock attackers out. We could always update things on our side manually for the time being

Per the issue above, we decided that the link should be good for one visit and no more. What do you think about this?

Thanks
Brian


#5

Single use is better I guess, though I doubt that it is an adequate solution long term. Do you plan to email a new, single use link, automatically, everytime the outstanding link is used?

If anyone could snoop whatever means I have of reading email, I could lose control of my Brave payments and leak my W-9 data. Password resets often use similar security, but at least such resets are an exceptional case, not a routine case, and usually when a password reset on some important account is initiated, one is watching for the email response with its link, to use it right away.

Password level security, and more, such as Multi-Factor Authentication or (someday, I hope) Steve Gibson’s SQRL, or public/private key security, would seem to be necessary, before any substantial amount of money could be secured.


#6

A couple more thoughts.

Just seeing my current “Balance pending” might have a lower, more convenient, security level (such as the current “special link” mechanism provides), whereas viewing my W-9 form or editing my Bitcoin payment address really requires a more robust security mechanism.


#7

@ThePythonicCow

With regards to expiring the links, we were thinking that each subsequent visit would require re-authentication via email. Obviously, this feature would only be useful after email is re-secured. Having your email compromised also means all accounts which only use email as authentication are compromised too

Requiring MFA would be a good feature for us to add. If you wanted to capture your request in more detail, you can create a new issue here:

edit:
I like your ask of requiring MFA for any sensitive information :slight_smile:

Thanks
Brian


#8

Likely this already occurred to you, but I’d suggest keeping multi-factor authorization (MFA) optional. Different users will have different trade-offs between what’s practical for them to do, and what level of security they require.


#9

Let me emphasize something I noted above:

This is not like choosing what font or display color users of the system prefer. You don’t take a user poll to decide this.

This is about dealing with sensitive financial and identity information. You get a good security audit.

Please get my W-9 details -off- any web page that can be gotten to just using a special, long lived, URL. The contents of https connections are encrypted, but unless I am mistaken the initial https URL’s are plain text visible to any man in the middle.

I am becoming increasingly annoyed that this state of affairs was ever considered, much less tolerated after being raised. Expiring login tokens, or what’s worse, the currently non-expiring tokens, passed in the URL in plain text, are not acceptable, in my estimation. But you must get a decent security audit, and not rely on security amateurs like myself (or so far as I can tell, those at Brave.com who have been involved with implementing, reviewing or supporting this so far.)

What I’d really like is either (1) major action on this potential leakage of financial and identity information, ASAP, or (2) refund the remaining amount I have in my Brave Payments Account and remove of my W-9 from your system.


#10

In other words – before spending time on multi-factor authentication, how about getting single factor authentication, by which I mean something I know that authenticates my access, that is never transmitted in plain text (the way that the current URLs are, sent out via insecure email, and then used repeatedly as plain text URLs), and that is either a private shared secret or a private-public key arrangement.

… but I should quit playing amateur security analyst here and again urge Brave to get some serious security auditing.


#11