R2 backuplarinda canli session token buldum — customer_sessions BACKUP_SKIP_DATA (PR #560 SS F1)

Istanbul Besiktas Etiler 34-yas bagimsiz bulut guvenligi danismani Dogan 8-yil 5-yil MSSP + 3-yil bagimsiz uzmanlik Cloudflare R2 + AWS S3 object storage misconfig + data-at-rest exposure @dogancc Turkce+EN guvenlik blogu. Q1 2026 thMenu open-source repo responsible disclosure fork code akislari derin Pazar gece backup cron customer_sessions BACKUP_SKIP_DATA allowlist'inden gecmeden tum rowlariyla R2'ya yaziliyordu. cloudflare/src/cron-jobs/backup.ts dumpDatabaseToR2 D1 tablolari iterate her row INSERT statement gzip + R2 28-day retention disaster recovery klasik pattern. customer_sessions schema id PK + session_token (90-day TTL) + user_id FK + expires_at + created_at + last_seen_at + ip_address + user_agent session_token LIVE session bearer token customer profile dashboard erisim authentication bypass. Mental model (1) Customer A login session_token_A 90-day TTL; (2) Pazar gece backup cron customer_sessions R2 dump INSERT statement R2 file; (3) 28 gun sonra Customer A logout DB row deleted ama 28-day backup R2 hala saklı; (4) R2 bucket okuma yetkisi leaked CF API token rogue contractor R2 misconfig public-read backup download session_token_A cek; (5) 90-day TTL aktifse impersonation Customer A profile direkt erisim. Etkilenen tablolar (a) customer_sessions 90-day token CRITICAL impersonation; (b) customer_email_links within-TTL magic-link hash 24h TTL ama 28d backup window expired ama R2 lower risk exposure; (c) pin_failures PII staff email ip_hash attempt count GDPR; (d) pw_failures PII ayni sekilde. Dogan writeup security@thmenu.com Cloudflare R2 retention 28-day D1 dump entire-row format customer_sessions live token 28-day R2 exposure window CVSS 7.5 HIGH data-at-rest disclosure account takeover. Engineering 3 yanlis teori (1) backup R2 access-controlled CF API token + IAM only dogru ama kapi kilitli iceride live secret olmasinda sorun yok yanlis defense-in-depth; (2) session token TTL kisa 90 gun dogru ama yetersiz 28-day backup × multiple backups expiration overlap 60-90 gun pin_failures/pw_failures TTLsiz PII; (3) backup dump encrypt PR #585 batch XX F2 R2 AES-256-GCM at-rest encryption shipped helper backup content encrypted ama key + backup attacker erisirse live secret icermek security smell. Dogru pattern live-secret tablolarinin DATA sini backup ETME sadece SCHEMA emit disaster recovery sessions empty restored kullanicilar re-auth counter sifirlanir. PR #560 batch SS F1 minimal + impactful fix cloudflare/src/cron-jobs/backup.ts BACKUP_SKIP_DATA allowlist const BACKUP_SKIP_DATA = new Set(['customer_sessions', 'customer_email_links', 'pin_failures', 'pw_failures']) backup loop if BACKUP_SKIP_DATA.has(tableName) emitSchemaOnly(tableName) continue CREATE TABLE + sentinel SKIPPED data live-secret table. Disaster recovery test backuptan restore sessions bos tum aktif kullanicilar re-authenticate natural session invalidation authentication path zaten sessions yok re-login flow handle. PR #585 XX F2 AES-256-GCM hala aktif layered defense live-secret skip + at-rest encryption + bucket IAM 3-layer. Production audit 28-day R2 backup customer_sessions row 17238 cumulative %23 TTL aktif. R2 access log 0 anomalous read sadece cron + DR test. Eski backup file purge customer_sessions data manual cron decrypt + INSERT strip + re-encrypt. Dogan €1800 Wise bounty CVSS 7.5 + Hall of Fame + security advisory board davet blog 4.1k engagement Turkish security community. Femke Amsterdam Oud-West 37-yo ex-AWS security architect 12-yil paralel disclosure €1800 LinkedIn 5.3k Nordic + DACH. Pattern D1 / RDS backup live-secret veya live-token DATA emit etme sadece SCHEMA disaster recovery yeterli backup retention exposure window canli token erisilebilir account takeover. Sibling sweep customer_sessions + customer_email_links + pin_failures + pw_failures + customer_push_subscriptions (PR #654 VIII F2) + oauth_authorization_codes/refresh_tokens (Phase 2 sonra). Implementation backup dump live-secret tablolar enumerate + BACKUP_SKIP_DATA allowlist + schema-only emit + disaster recovery test + production audit existing backup purge + PR template checkbox + quarterly grep audit live-secret × BACKUP_SKIP_DATA membership. PR #560 referans.

İlgili makaleler