Security Advisories

Insecure Session Token Reuse

TinyPilot Security Advisory #002

Published: March 24, 2022

Overview

Versions of TinyPilot Pro before 2.4.0 suffer a vulnerability that allows authenticated users to continue their sessions even after the TinyPilot system credentials have been changed.

Severity

Medium

Impact

This vulnerability allows a user who logged in with valid credentials to continue accessing TinyPilot even if another user changes TinyPilot's username and password.

Who does this vulnerability affect?

This vulnerability impacts you if you meet all the following conditions:

  • You enabled password-based authentication on your TinyPilot web interface.
  • You shared the username and password credentials with a another user.
  • You changed the username and password credentials to discontinue the other user's access to TinyPilot.
  • The other user still has network access to the TinyPilot device.

What is the fix?

Permanent fix

Upgrade to TinyPilot Pro 2.4.0 or later to fix this issue.

Short-term workaround

If you can't upgrade to 2.4.0 in the short term, you can use the following workaround to invalidate all TinyPilot sessions.

Access your TinyPilot over SSH and run the following commands:

sudo rm /home/tinypilot/.flask-secret-key && \
  sudo service tinypilot restart

Note that the above workaround will force all users to reauthenticate the next time they access the TinyPilot web interface.

Detailed explanation

TinyPilot uses Flask's secure session functionality to store session information. Flask stores all data in the end-user's browser and cryptographically signs it to ensure that the user can't tamper with the information. TinyPilot authenticates users by reading the username from the user's session data and verifying that the session signature is valid.

Before version 2.4.0, TinyPilot Pro did not implement a mechanism for invalidating session data after the user's credentials changed. If a user changed the TinyPilot web interface's username and password, any session that TinyPilot created prior to the change would remain valid because its continued to have a valid signature.

To fix this vulnerability, TinyPilot Pro 2.4.0 adds timestamps to Flask's signed session information. For each authenticated request, TinyPilot compares the modification time on the user's credentials with the timestamp in the user's session data. If the session contains an outdated timestamp, TinyPilot rejects the session and forces the user to reauthenticate.

Questions

If you have any questions or concerns about this issue, please email me:

Written by Michael Lynch, Founder and Lead Developer of TinyPilot