Skip to main content

Technical information leak - Credentials

Need

Protection of sensitive credentials from being exposed

Context

  • Usage of C# for building robust and scalable applications
  • Usage of Microsoft.Extensions.DependencyInjection for dependency injection in .NET applications
  • Usage of Microsoft.AspNetCore.Mvc for building web applications with ASP.NET Core
  • Usage of Microsoft.Bot.Builder.Integration.AspNet.Core for integrating Microsoft Bot Framework with ASP.NET Core
  • Usage of Microsoft.Bot.Builder.Integration.AspNet.Core for integrating the Bot Framework with ASP.NET Core
  • Usage of Microsoft.Bot.Builder.Integration.AspNet.Core for integrating Microsoft Bot Framework with ASP.NET Core
  • Usage of Microsoft.Bot.Builder.Integration.AspNet.Core for integrating Microsoft Bot Framework with ASP.NET Core
  • Usage of Microsoft.Bot.Builder.Adapters for building chatbot adapters
  • Usage of Microsoft.Bot.Connector.Authentication for authenticating and securing bot connections

Description

Non compliant code

public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddMvc();

        services.AddSingleton<IBotFrameworkHttpAdapter, AdapterWithErrorHandler>();

        services.AddSingleton<ICredentialProvider, ConfigurationCredentialProvider>();

        services.AddSingleton<BotFrameworkAdapter, BotFrameworkHttpAdapter>();
        
        services.AddSingleton(sp =>
        {
            var secretKey = "YOUR_DIRECT_LINE_SECRET_KEY";
            return new DirectLineAdapter(secretKey);
        });
    }
}

In the code snippet above, the Startup class is responsible for setting up the application's services during startup. The ConfigureServices method is where these services are defined and added to the application's service collection.

Among these services, there's a singleton instance of DirectLineAdapter being configured. The DirectLineAdapter is responsible for facilitating the communication between the bot and the Direct Line API.

The vulnerability lies in this part of the code:

var secretKey = "YOUR_DIRECT_LINE_SECRET_KEY";
return new DirectLineAdapter(secretKey);

Here, the Direct Line Secret Key is being hardcoded as a string in the application code. This is a major security risk as it exposes sensitive information that could be used to gain unauthorized access to the bot.

If the source code of the application is accessed by an attacker, they can easily read this secret key in plain text. Moreover, if the application's deployment package is being sent over an insecure network or stored insecurely, the secret key could be intercepted or retrieved.

Even if the code is minified or obfuscated, the secret key is still at risk of being exposed. Advanced reverse-engineering techniques can potentially reveal the secret key.

The best practice is to store sensitive information such as secret keys in a secure manner, such as using environment variables or secure key vaults.

Steps

  • Remove the direct line secret key from the code and store it securely.
  • Use a configuration file or environment variables to store the secret key.
  • Update the code to retrieve the secret key from the configuration file or environment variables.
  • Ensure that the configuration file or environment variables are not accessible to unauthorized users.
  • Consider using a secrets management solution to securely store and retrieve the secret key.

Compliant code

public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddMvc();

        services.AddSingleton<IBotFrameworkHttpAdapter, AdapterWithErrorHandler>();

        services.AddSingleton<ICredentialProvider, ConfigurationCredentialProvider>();

        services.AddSingleton<BotFrameworkAdapter, BotFrameworkHttpAdapter>();
        
        services.AddSingleton(sp =>
        {
            var secretKey = Configuration["DirectLineSecretKey"];
            return new DirectLineAdapter(secretKey);
        });
    }
}

The original code had a vulnerability where the BotChat Direct Line Secret Key was hardcoded into the application. This is a security risk as it exposes sensitive information that could be exploited by malicious users.

The updated code fixes this vulnerability by retrieving the secret key from a configuration file or environment variable instead of hardcoding it into the application. This is done using the Configuration["DirectLineSecretKey"] line of code, which retrieves the value of the DirectLineSecretKey from the configuration file or environment variable.

This approach is more secure as it allows the secret key to be stored securely and not exposed in the application code. It also allows the secret key to be changed easily without requiring a code change.

In addition to this code change, it is important to ensure that the configuration file or environment variable is not accessible to unauthorized users. This can be done by setting appropriate file permissions or using a secrets management solution.

This change helps to protect the application from information leakage and potential unauthorized access.

References

Last updated on