Technology

59419 readers

5073 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS

Salt Labs research finds security flaws within ChatGPT Ecosystem (Remediated) (salt.security)

submitted 8 months ago by MasterPain@lemmy.world to c/technology@lemmy.world

4 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] pixxelkick@lemmy.world 1 points 8 months ago

Note that ChatGPT indeed implemented a state parameter, but their state was not a random value, and therefore could be guessed by the attacker.

Bruh wut, rookie mistake.

State is supposed to be mathematically random and should expire fairly quickly.

I always have used a random guid that expires after 10-15 minutes for state, if they try and complete the oauth with an expired state value I reject ad ask them to try again.

Also yeah the redirect uri trick is common, that's why oath apis must always have a "whitelist urls" functionality. And not just domain, the whole url.

That's why when you make a Google api token you gotta specify what urls it's valid for explicitly. That way any other different redirect uri gets rejected, to prevent an injection attack from a third party providing their own different redirect uri to a victim.

Oath is pretty explicit about all these things in its spec. It really sucks people treat it as optional "not important" factors.

It's important. Do it. Always.