Security hole in Spiceworks App
-
Just a heads up, there has been a security flaw in the Spiceworks app (7.4.065) but it's only present in the new "social login" (logging in via Facebook/linkedin). I haven't updated yet.
Details here: http://community.spiceworks.com/topic/1025099-security-issue-linkedin-and-facebook-on-spiceworks-login-screen
El Reg's take on the issue here: http://www.theregister.co.uk/2015/06/23/spiceworks_social_sign_on_fail_log_in_linkedin_facebook_admin/
Keep it informative and pleasant, please.
-
Wow. That's a pretty big deal. Though it doesn't surprise me, this is what you get when you have a marketing company pushing out apps just to have apps for a marketing/advertising tool.
-
That's what happens when you force all the logins to go through their servers, rather than the old OAuth method.
-
@Nic said:
That's what happens when you force all the logins to go through their servers, rather than the old OAuth method.
That the passwords and security is not stored locally is not something that was made very public. That's something I know people know through observation, not through announcement or a change in the "data collection" policy.
-
How does authentication work, if anyone knows, if you block connections to Spiceworks, which has been a fundamental recommendation for basic SW security since the beginning as any data could egress in the background. Does this mean that you just cut off those features? Or does it actually mean that app no longer functions offline?
-
I believe it requires a connection - if the community is down for maintenance then you can't log in to your local app. Once you are authenticated then you can block the connection however.
-
@scottalanmiller said:
How does authentication work, if anyone knows, if you block connections to Spiceworks, which has been a fundamental recommendation for basic SW security since the beginning as any data could egress in the background. Does this mean that you just cut off those features? Or does it actually mean that app no longer functions offline?
I believe the app starts but will not let you login with what it will detect as no internet connection.
-
Pleasantly surprised that this news only made the fifth highest thread of the day over there, not a hot topic. For those wanting to follow along, the official response just went up:
http://community.spiceworks.com/topic/1027590-desktop-social-signup-security-vulnerability
