[GH-ISSUE #112] Smsync tasker request needs to send a value that can be authenticated against in the receiving webservice #91

New issue

Closed

opened 2026-02-28 01:23:08 +03:00 by kerem · 0 comments

kerem commented 2026-02-28 01:23:08 +03:00

Owner

Copy link

Originally created by @vaneyck on GitHub (Jul 24, 2013).
Original GitHub issue: https://github.com/ushahidi/SMSSync/issues/112

If some malicious developer had the url where the web service is running, they would be able to poll for messages to send.

This is because the url that smssync generates looks as follows http://somedomain.com/smssync?task=send

Anyone who can formulate this can get your messages and send them on your behalf using his smssync running instance

So we need to sharpen this section of the app, the tasker should possibly send the secret as part of the GET request or as part of the payload. The webservice can then chose to authenticate this request coming from the smssync running instance by counter checking the value(secret) sent

The docs may need updating, as they need to make mention of this new requirement.

Originally created by @vaneyck on GitHub (Jul 24, 2013). Original GitHub issue: https://github.com/ushahidi/SMSSync/issues/112 If some malicious developer had the url where the web service is running, they would be able to poll for messages to send. This is because the url that smssync generates looks as follows http://somedomain.com/smssync?task=send Anyone who can formulate this can get your messages and send them on your behalf using his smssync running instance So we need to sharpen this section of the app, the tasker should possibly send the secret as part of the GET request or as part of the payload. The webservice can then chose to authenticate this request coming from the smssync running instance by counter checking the value(secret) sent The docs may need updating, as they need to make mention of this new requirement.

kerem 2026-02-28 01:23:08 +03:00

• closed this issue
• added the
  Code improvement
  label

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

fix-local-web-client-ssl-error

473-add-firebase-crash-reporting-support

fix-duplicate-messages

fix-app-crashes

466-add-link-to-privacy-policy

461-fix-multiple-sync-of-a-message

447-upgrade-raiburari

415-remove-read-phone-state-permission

420-dont-log-misleading-mesgs

414-whitelist-causes-dup-sync

410-remove-unused-fields

440-add-support-for-github-templates

364-secret-key-getting-duplicated

gh-pages

legacy-2.x.x

v3.1.1

v3.1.0

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.8.0-rc.1

v2.8.0-beta.1

v2.8.0-alpha.3

v2.8.0-alpha.2

v2.8.0-alpha.1

v2.7.3

v2.7.2

v2.7.1

v2.7

v2.6.1

v2.6

v2.5.1

v2.5

v2.4

v2.4-alpha-3

v2.4-alpha-2

v2.4-alpha-1

v2.3

v2.0.2

v2.0.1

v2.0.0

v1.1.9

v1.0.9

v1.0.8

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0

Labels

Clear labels   

Bug report

  

Code improvement

  

Concern

  

Feature request

  

Feature request

  

Good first issue to work on

  

In progress

  

Needs info

  

Question

  

Ready

  

Translation

  

User Experience

  

User Experience

  

Website

  

pull-request

Mirrored from GitHub Pull Request

No labels

Bug report

Code improvement

Concern

Feature request

Feature request

Good first issue to work on

In progress

Needs info

Question

Ready

Translation

User Experience

User Experience

Website

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/SMSSync#91

No description provided.