[GH-ISSUE #112] Smsync tasker request needs to send a value that can be authenticated against in the receiving webservice #91

Closed
opened 2026-02-28 01:23:08 +03:00 by kerem · 0 comments
Owner

Originally created by @vaneyck on GitHub (Jul 24, 2013).
Original GitHub issue: https://github.com/ushahidi/SMSSync/issues/112

If some malicious developer had the url where the web service is running, they would be able to poll for messages to send.

This is because the url that smssync generates looks as follows http://somedomain.com/smssync?task=send

Anyone who can formulate this can get your messages and send them on your behalf using his smssync running instance

So we need to sharpen this section of the app, the tasker should possibly send the secret as part of the GET request or as part of the payload. The webservice can then chose to authenticate this request coming from the smssync running instance by counter checking the value(secret) sent

The docs may need updating, as they need to make mention of this new requirement.

Originally created by @vaneyck on GitHub (Jul 24, 2013). Original GitHub issue: https://github.com/ushahidi/SMSSync/issues/112 If some malicious developer had the url where the web service is running, they would be able to poll for messages to send. This is because the url that smssync generates looks as follows http://somedomain.com/smssync?task=send Anyone who can formulate this can get your messages and send them on your behalf using his smssync running instance So we need to sharpen this section of the app, the tasker should possibly send the secret as part of the GET request or as part of the payload. The webservice can then chose to authenticate this request coming from the smssync running instance by counter checking the value(secret) sent The docs may need updating, as they need to make mention of this new requirement.
kerem 2026-02-28 01:23:08 +03:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/SMSSync#91
No description provided.