Ore API keys invalidated because of security risk

Just now we deleted all deploy keys currently stored on Ore. Why did we do this? The gist of it is that we discovered that some Ore staff had access to these keys in the past. We have therefore deleted all keys to make sure they can’t be abused in the future. You are perfectly safe to generate a new key for usage. The problems have already been fixed in the latest Ore release.

First off, we do not believe those who have seen the keys can use them for any malicious purpose. The reason for that is that the only way that PGP keys currently add any real security to Ore is to verify the uploader of a jar submitted through the API. The attacker would need a valid signature when uploading the plugin. Unless your private key is compromised, there is no way that they can get such a signature.

So, what happened exactly, and why didn’t we discover this sooner. Last release (1.8.2) we did for Ore contained mostly smaller fixes and such, but there was one big part of that release too. A new permission system. With this new system, we could hand out specific permissions to specific groups. That’s not to say however that Ore didn’t have permissions before this release. It did, but we kind of didn’t use them. Before we introduced the new permission system to Ore, it relied on trust levels. We then assigned both roles and permissions different trust levels. So while we coded as if Ore had several different permissions, in truth it only had around 5. I’m still not quite sure where stuff went wrong from here, but I know that the result was that Ore staff had many more permissions than they were supposed to.

That leaves one question, why wasn’t this found sooner? This is probably the question I know the least about, and I don’t think there exists a single good reason here. For me as an Ore dev, I thought it was part of the special permissions Ore devs are granted. For the staff that had access, I guess that it boiled down to the fact that many didn’t think much over it, or thought it was a feature.

2 Likes