Mapbox-gl-js: ACCESS_TOKEN stored in localStorage

Created on 6 Feb 2019  Â·  9Comments  Â·  Source: mapbox/mapbox-gl-js

Per mapbox.js#L231 and mapbox.js#L197, the mapBox ACCESS_TOKEN is stored in the browser localStorage. This is a security breach as it becomes available to the end client user even if they have been properly authenticated and authorized.

mapbox-gl-js version: v0.53.0-beta.1 as well as master

picture prachikhadke

All 9 comments

Thank you for opening this issue @prachikhadke! Can you please report this via https://www.mapbox.com/platform/disclosure/ to get the attention of our security team?

asheemmamoowala picture asheemmamoowala on 7 Feb 2019

This is a security breach as it becomes available to the end client user even if they have been properly authenticated and authorized.

Is this really an issue? The client always has that access token regardless if it's stored in local storage or not. :confused:

andrewharvey picture andrewharvey on 7 Feb 2019

This is a security breach as it becomes available to the end client user even if they have been properly authenticated and authorized.

Is this really an issue? The client always has that access token regardless if it's stored in local storage or not. 😕

The mapbox client (i.e. client code that use mapbox code) do have the access token. but the end user using the client code application shouldn't.

prachikhadke picture prachikhadke on 7 Feb 2019

Thank you for opening this issue @prachikhadke! Can you please report this via https://www.mapbox.com/platform/disclosure/ to get the attention of our security team?

Submitted report https://hackerone.com/reports/492285

prachikhadke picture prachikhadke on 7 Feb 2019
👍1

but the end user using the client code application shouldn't.

Any time you do "View source" on a Mapbox map, or open the Network tab of DevTools, you'll see the access token — it is public (and the Mapbox tokens page even says explicitly that it's a public token). I think this is not an issue.

mourner picture mourner on 7 Feb 2019
👍1

but the end user using the client code application shouldn't.

Any time you do "View source" on a Mapbox map, or open the Network tab of DevTools, you'll see the access token — it is public (and the Mapbox tokens page even says explicitly that it's a public token). I think this is not an issue.

That's exactly my point. It shouldn't be accessible via DevTools. It shouldn't be public.

prachikhadke picture prachikhadke on 7 Feb 2019

@prachikhadke how do you expect it to be hidden? It's a part of the tile requests from the web page. It's impossible to make it private — that's not how the Web works.

mourner picture mourner on 7 Feb 2019

@prachikhadke how do you expect it to be hidden? It's a part of the tile requests from the web page. It's impossible to make it private — that's not how the Web works.

True. I can understand that. Ok. I am okay with this then.

prachikhadke picture prachikhadke on 7 Feb 2019
1

@prachikhadke thank you! We should definitely improve docs / communication around this, and still investigating internally on next actions.

mourner picture mourner on 7 Feb 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

aaronlidman picture aaronlidman  Â·  3Comments
stevage picture stevage  Â·  3Comments
rigoneri picture rigoneri  Â·  3Comments
PBrockmann picture PBrockmann  Â·  3Comments
bgentry picture bgentry  Â·  3Comments