Hi team, we are right now facing security related issue with Jupyterhub using kubespawner and AD Authentication.
If User B replaces his cookie(jupyterhub-hub-login) with same of User A, he would be able to access Notebook instance page on User B POD. In this case, he will have access to User A Notebook code and also will be able to connect to User A GCP resources (if User A had already authenticated).
Is there any solutions to this issue?
Hi! Could you provide some more detail on what the exact security issue is? Users shouldnât share their login cookie, just like they shouldnât share their password.
Hi @manics thanks for your response. Our security testing team is performing one of the test related to âCWE-269: Improper Privilege Managementâ and as part of this test 2 users(user A and user B) logged in into different browser on a same system.
User A logged in google chrome and User B in Safari. Since both were working on same system User B was able to copy the cookie data of User A and access User Aâs notebook/data.
Is there a way to hide/delete the cookie post authorisation? Or if there is a way to initiate user re-login if there is change in cookies data.
Is there any solutions to this issue?
No, not generally, and this affects ~all websites, not just JupyterHub (including GitHub.com, etc.).
Cookies are credentials, and access to cookies generally means access to everything the browser session is authorized to access. For instance, I just manually copied my cookies for GitHub.com from one browser to another and I was logged in. Cookies are highly sensitive credentials, and access to cookies should be considered access to a lot of things across all websites the user has visited. Note that two users on the same system do not generally have access to each otherâs cookies - these are private, protected files and users cannot read each otherâs cookies without some modifications to filesystem permissions.
Is there a way to hide/delete the cookie post authorisation?
Yes, the user can log out of JupyterHub. Deleting cookies is the same thing as logging out (this is true for websites in general).
Or if there is a way to initiate user re-login if there is change in cookies data.
Iâm not sure what you mean by âchange in cookies dataâ? If you suspect a userâs cookies have been compromised, JupyterHub can invalidate all cookies for a given user by changing the userâs cookie_id (a random string) in the database:
python3 -m jupyterhub.dbutil shell
In [1]: import uuid
In [2]: user = orm.User.find(db, name='username')
In [3]: user.cookie_id = uuid.uuid4().hex
In [4]: db.commit()
Or it can invalidate all cookies for all users by changing the JupyterHub.cookie_secret configuration used to encrypt and sign cookies.
Hi @minrk , currently cookies value is fetched from browser using âInspectâ
Sorry but couldnât understand which filesystem permissions are we talking here, can you please explain it a bit more.
After logging in we manually updated âjupyterhub-hub-loginâ cookie data with some random string and the application was logged out and it asked to re-login.
However if we pass some other users âjupyterhub-hub-loginâ cookie data it switches to that users profile. Shouldnât it log out this time as well?
Another thing will setting env variable âJPY_COOKIE_SECRETâ to store cookie secret be helpful?
@minrk is referring to a multi-user system, where each user has their own operating system account, and home directory permissions are set to prevent other users from having access.
In this case youâve got a single operating system user account, and youâre giving multiple users access. In this situation thereâs no good way to secure it- one user is effectively indistinguishable from another.
The cookie data identifies a user to JupyterHub. Therefore thereâs no way for JupyterHub to detect if a user manually changes a cookie to be a different valid cookie, since both cookies provide valid identification. Even if there was a way to detect a âchangeâ thereâs nothing to stop a user cloning the complete browser profile including cookies, and therefore appearing identical.
I think your security team are asking for the impossible- if multiple users have access to the same system account, and theyâre not restricted in anyway, and they donât logout, and theyâre likely to misuse the system by accessing someone elseâs private browser data, then thereâs not much you can do.
The most secure option is probably to give each user their own operating system account, and ensure permissions are setup so they get their own private home directory.
Why would they resort to copying the cookie data between browsers? Just use the other userâs browser directly. Read their email, buy something on Amazon.
Thank you all for you responses. We have rejected the issue due the above said reasons.
However we tried copying the browser cookies of a user logged into gcp console and when we copy it into another users browser session it re-directed to login page. Not sure how it is being handled on googleâs side but I believe there is a way to handle such cookies copying issue but not a concern right now for us.
