Overview

On April 16th, 2021, the Security team at Streamlit learned of a potential vulnerability in the Streamlit Sharing platform that was introduced by a code change on March 15. After a thorough internal analysis as well as through our partnership with GitHub, we have found no evidence of unauthorized activity during this period. We patched the vulnerability as of April 19th, and we have taken additional measures to protect our users.

What was the issue?

During this period, a specially crafted Streamlit app running on the Sharing platform could inspect the inbound web requests, reverse-engineer the cookies, and gain access to the app viewer’s GitHub OAuth token. This would only affect developers on the Sharing platform who visited such apps while they were logged in to the platform.

If an app viewer was not a developer on the Sharing platform, they were not impacted by this vulnerability.

The GitHub OAuth tokens could be used to perform GitHub operations on the user’s behalf. The number of GitHub operations that can be performed using the token is restricted by the OAuth scopes granted by users. The Streamlit Sharing platform follows the security principle of least privilege, and requests only the OAuth scopes that are strictly necessary for platform features. More information about GitHub OAuth scopes is available at this link.

How was it discovered?

This vulnerability was discovered and responsibly reported to us by Jonathan Camp at Intelecy.

How did we respond?

To mitigate the security vulnerability, we rolled out a code change to the backend of the Sharing platform that encrypted the sensitive cookies on the platform, so that attackers could no longer inspect or reverse-engineer the platform. We also rolled out a code change that strips out any sensitive information from the web requests sent to the Streamlit apps that could reveal implementation details of the platform. Finally, out of abundant precaution, we revoked all user tokens associated with the Streamlit OAuth application, which rendered any tokens stolen by attackers useless.

What should I do?

At this time, no action is needed on the user’s behalf. On your next visit to Streamlit Sharing, you will need to re-authorize your account via the GitHub OAuth consent flow.

If you notice any unusual activity in your GitHub account, please report it to security@streamlit.io.

Who was impacted?

After a thorough internal analysis as well as through our partnership with GitHub, we have found no evidence of unauthorized activity.

Is this exploit available publicly?

We are not aware of any public exploits at this time.

Who has already been notified?

A small set of Beta testers on the platform that had access to some restricted features on the platform were notified on April 23, 2021. All other users were notified on May 7, 2021.

How are we preventing such issues going forward?

Our security team was already undergoing a deep technical review and penetration test of the Streamlit Sharing platform before this incident, and we will be completing and acting on the findings of this review in the near future. Following our incident retrospective, we updated our security best-practices playbook to ensure we more thoroughly review code changes related to session management and other sensitive areas of our codebase.