Re: rclone data exflitration / unauthorized API use

[Solar Designer <solar () openwall com>]

Hi Daniel,

On Tue, Jun 26, 2018 at 05:56:18PM -0700, oss-security-list () contactdaniel net wrote:
> Due to it's reliance on vulnerable upstream vendor SDKs & APIs, all 
> current versions of 'rclone' are subject to a variety of attacks.
>
> This vulnerability is an instance of a class of security vulnerabilities 
> that affect a wide variety of software. Any API which has clients 
> perform actions on arbitrary URLs chosen by the API server will lead to 
> this class of attack becoming a concern.
>
> Current Google Cloud Storage SDKs/APIs, Backblaze B2 APIs, and Yandex 
> Disk APIs are affected.
>
> No CVE is presently assigned.
>
> Further details at: 
> https://www.danieldent.com/blog/restless-vulnerability-non-browser-cross-domain-http-request-attacks/

We have a policy here that while list postings may refer to external
URLs, they must be complete on their own, and yours is not.  Please see:

http://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines

I'm attaching a text export of your blog post to this message.  Next
time, please do something like this on your own.

Thanks,

Alexander

Attachment: restless-vuln.txt
Description: