Skip to main content

mastodon - Link to source

If you ever shared the #Lutris debug log (as requested by both the Forum as well as github issue page) while your #GOG account was connected:

You might've shared your secret API token publicly.

The Lutris logs seem to NOT hide *any* personal information in debug logs' HTTP requests. Including your private refresh token.

If you ever shared a Lutris debug log, de-auth sessions and change passwords immediately.
github.com/lutris/lutris/issue…
#Security #Linux #itchio #HumbleBundle


[SECURITY] Command `lutris -d` is leaking GOG API secrets · Issue #5967 · lutris/lutris

Bug description When starting lutris with the debug parameter -d, which is commonly used and requested in the Forum and right here to help users fix issues, displays the full GOG REST API string in...
GitHub
#security #linux #itchio #gog #humblebundle #lutris
This entry was edited (1 month ago)

reshared this

in reply to Natasha Nox 🇺🇦🇵🇸

Natasha Nox 🇺🇦🇵🇸
mastodon - Link to source
Natasha Nox 🇺🇦🇵🇸

Disclaimer: I'm not a security researcher or even fluent in Python. Further analysis by more capable people very much welcome.

From my point of view this looks like an absolute fuck up by the #Lutris team. Requesting debugs for your tool while coding said tool to just throw *every* HTTP request into the log file no matter its content is just screwed up.

#lutris
in reply to Natasha Nox 🇺🇦🇵🇸

Sven
mastodon - Link to source
Sven

from a *very* cursory look: client_secret and client_id are static values tied to lutris and not critical: github.com/lutris/lutris/blob/…

The refresh_token *is* a user-specific secret, (EDITED: see below, it *is* reusable, that's bad!)


lutris/lutris/services/gog.py at 2671d5361d3021f0079eb5db51d628d6f5201abb · lutris/lutris

Lutris desktop client. Contribute to lutris/lutris development by creating an account on GitHub.
GitHub
This entry was edited (1 month ago)
in reply to Sven

Natasha Nox 🇺🇦🇵🇸
mastodon - Link to source
Natasha Nox 🇺🇦🇵🇸
@HeNeArXn I've thrown the whole HTTP request for my account into curl and got back a valid access_token with some other info from the GOG API, so I don't think it's tied to lutris. At a minimum it would be possible to freely download GOG games using it I think, which is already a huge problem. Or do I misunderstand something? 🤔
@Sven
in reply to Natasha Nox 🇺🇦🇵🇸

Sven
mastodon - Link to source
Sven

client_* is about the application. all it communicates is "this is lutris".

The refresh_token is tied to you - and if GOG let it be reused, which your test seems to prove, then yes, it is absolutely a problem!

This entry was edited (1 month ago)
in reply to Sven

Natasha Nox 🇺🇦🇵🇸
mastodon - Link to source
Natasha Nox 🇺🇦🇵🇸

@HeNeArXn Ah, I see. What about client_secret though?

I was able to get a valid response for the account of my brother from a completely different IP and device after he shared a debug log with me, which caused me to alarm.

@Sven
in reply to Natasha Nox 🇺🇦🇵🇸

Sven
mastodon - Link to source
Sven

client_secret is as you can see from my link also public in practice. Ignore those.

The problem is the refresh_token alone, but that is totally a problem. So I suggest editing the issue to a) not mention the client_id/_secret, and b) make it clear that you were actually able to use curl to reuse the refresh_token from another computer, because the latter is the REALLY REALLY BAD part.

in reply to Sven

Natasha Nox 🇺🇦🇵🇸
mastodon - Link to source
Natasha Nox 🇺🇦🇵🇸
@HeNeArXn Thank you for your clarification! I've edited the github issue accordingly.
@Sven
in reply to Natasha Nox 🇺🇦🇵🇸

prisixia
sharkey - Link to source
prisixia
I'd also love to point fingers at
github.com/lutris/lutris/issue…

p7zip security risk · Issue #2868 · lutris/lutris

p7zip hasn't received any updates since mid-2016 (https://sourceforge.net/projects/p7zip/). There are multiple known vulnerabilities: https://www.cvedetails.com/vulnerability-list/vendor_id-9220/pr...
GitHub