'[oss-security] CVE Request: CSRF vulnerability in OmniAuth request phase'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE Request: CSRF vulnerability in OmniAuth request phase
From:       Douwe Maan <douwe () gitlab ! com>
Date:       2015-05-26 11:56:13
Message-ID: etPan.55645f5d.19495cff.34b () Douwes-MacBook-Pro ! local
[Download RAW message or body]


Affected software:  
- Ruby gem (library) OmniAuth[0]
- Gems that use OmniAuth, e.g. Devise[1]

Type of vulnerability:  
Cross-Site Request Forgery

Original report by:  
Mohamed Abdelbaset Elnoby, Senior Information Security Analyst at Seekurity.com[2]
[The website Seekurity.com isn't currently working.]

Summary:

OmniAuth is a library used in Ruby web applications to authenticate users using  
external services, for example OAuth providers.  

The request phase of OmniAuth is vulnerable to Cross-Site Request Forgery. This  
is the step that actually connects an external account (on a connected OAuth  
provider) to an internal account (on the web application itself). This means  
that when a client is signed into an account on the web application, and signed  
into an account on a connected OAuth provider, these two accounts can be  
connected without user intent, user interaction or feedback to the user. From  
here on out, the external account can be used to sign into the web application  
as the internal account.  

If the sign in action at a connected OAuth provider is vulnerable to CSRF, an  
attacker can force the victim's client to be logged into the external service  
using an account beloning to the attacker, can then force this external account  
to be connected to the internal account, and can from here on out use their  
account on the external service to log into the victim's account on the targeted  
application.

We are aware of one large OAuth provider where the sign in action is or was  
vulnerable to CSRF.

Issue report and patch:  
https://github.com/intridea/omniauth/pull/809

References:
[0] https://github.com/intridea/omniauth
[1] https://github.com/plataformatec/devise
[2] https://twitter.com/symbiansymoh

Thanks,

Douwe Maan
GitLab

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic