Security Advisory: Personal Access Tokens

Here at Speckle, we review our products to ensure continuous improvements. As part of a recent review we identified a moderate security vulnerability in Speckle server which may affect some users. We have patched Speckle server, and this new version (2.17.6) is available from our GitHub releases. This version is already available on speckle.xyz, app.speckle.systems , and all other Server’s hosted by Speckle Systems.

This vulnerability could not be used to escalate a user's privileges or grant privileges on behalf of other users. Only a limited subset of users may have been vulnerable. We do not believe the vulnerability has been exploited ‘in the wild’.

Impact

This moderate security vulnerability only affects users who:

• authorised an application which requested a 'token write' scope on their behalf.
• or, using frontend-2, created a Personal Access Token (PAT) with 'token write' scope.

Description

A Personal Access Token allows applications and scripts to securely authenticate with Speckle Server and act on behalf of a user. You can read more about Personal Access Tokens in Speckle’s documentation.

When creating a new Personal Access Token, an agent needs to authorise the request with an existing token (the 'requesting token'). The requesting token is required to have ‘token write’ scope in order to generate new tokens.

Creating a token with ‘token write’ scopes was only possible in the new web interface (”Frontend 2”), a behaviour that has since been removed as of version 2.17.6, or via an application which a user authorised on their behalf.

However, Speckle server was not verifying that other privileges granted to the new token were the same, or less, of those granted to the requesting token. If a malicious actor was to get hold of a token with ‘token write’ scope, they could use that token to subsequently generate more tokens with other privileges that the user held.

This vulnerability could not be used to escalate a user's privileges or grant privileges on behalf of other users.

Immediate Actions

All operators of Speckle servers should upgrade their server to version >=2.17.6.

Any users who authorised an application with 'token write' scope, or created a token in frontend-2 with 'token write' scope should:

• Review existing tokens and revoke any they do not recognise.
• Revoke existing tokens and create new tokens.
• Review usage of their account for suspicious activity.

We provided advanced notice to this Insiders group to enable server operators time to patch their servers. If you are operating a server and not already part of the Speckle Insiders group, please join here: https://speckle.community/g/Insiders

We encourage the responsible disclosure of security vulnerabilities. If you encounter what may be a security vulnerability in a Speckle product, please email us immediately at security@speckle.systems.