How recent security fixes may affect your macros and API usage

news scaling
Posted by Bill

18 July 2014

To improve security of your data, Mingle 14.1 included several fixes for security vulnerabilities. If you were using the API to access data from a custom macro or external application, it’s possible that you will no longer be able access the data using 14.1 or later versions because of these fixes.

API Requests using Existing Session or Login Cookie

In the past, you could perform API requests through a browser and it would use your existing login cookie (if you had already signed in) to authenticate.

Starting with 14.1, an API request must include either basic auth headers or an HMAC signature to be successfully authenticated. If you do not include this, it will return a 404. It will not popup and ask for credentials. This is intentional so an attacker does not know if the resource exists and is protected or does not exist at all.

Cross-site Request Forgery

CSRF is a common vulnerability in web applications where a user can be tricked into clicking a link in a phony app or email that will steal data or perform unintended actions.

Prior to 14.1, javascript from a custom macro inside a Mingle page could make an AJAX request to Mingle and successfully authenticate based on the existing session (see above). However, now with 14.1 the request must include a special unique token from the page to ensure it is a trusted request from the real app.

If your macro code relies on the jQuery loaded by the Mingle app, then your requests should continue to work fine in 14.1. However, if you bundled your own copy of jQuery or are using a different framework, you will have to submit a valid token for your POST/PUT requests to work properly.

Keeping Your Data Safe

The following changes may affect your macros and integrations and cause you to have to expend extra effort to update them. However, they were made after a very thorough security audit of the application and we felt they were worth the inconvenience to keep your data secure. If you have any questions about these changes, or Mingle in general, please contact our support team.

comments powered by Disqus