WebAPI/Security/Contacts

From MozillaWiki
< WebAPI‎ | Security
Revision as of 11:14, 25 June 2012 by Ptheriault (talk | contribs) (Created page with "== Contacts API== Reference:https://wiki.mozilla.org/WebAPI/ContactsAPI Brief purpose of API: Access to users contacts. General Use Cases:N/A Inherent threats: *Read/exfiltrate...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Contacts API

Reference:https://wiki.mozilla.org/WebAPI/ContactsAPI Brief purpose of API: Access to users contacts.

General Use Cases:N/A

Inherent threats:

  • Read/exfiltrate confidential information,
  • Destroy user's contact data
  • DoS via filling address book with bogus data

Threat severity: high

Regular web content (unauthenticated)

Use cases for unauthenticated code: Mediated access limited contact information
Authorization model for uninstalled web content: OS mediated (web activities, or trusted UI)
Authorization model for installed web content: OS mediated (web activities, or trusted UI)

Potential mitigations:

  • App requests a contact via web activities or trusted UI
  • API provides a local identifier instead of the actual contact information

Trusted (authenticated by publisher)

Use cases for authenticated code: Create,read or edit contact information
Authorization model: Explicit
Potential mitigations:

  • Let user configure what data is accessible (globally?)
  • Have separate permissions read,create or update/delete? (assuming that

many apps only want read, and could use web activities to create a contact if necessary?)

Certified (vouched for by trusted 3rd party)

Use cases for certified code: Create,read or edit contact information
Authorization model: Implicit Potential mitigations: None

Retrieved from "https://wiki.mozilla.org/index.php?title=WebAPI/Security/Contacts&oldid=445026"