{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/auth/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["auth","auth/v2"],"_cs_severities":["critical"],"_cs_tags":["authentication","oauth","id_collision","vulnerability"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eA critical vulnerability exists in the Patreon OAuth provider within the \u003ccode\u003ego-pkgz/auth\u003c/code\u003e and \u003ccode\u003ego-pkgz/auth/v2\u003c/code\u003e libraries. Specifically, the \u003ccode\u003emapUser\u003c/code\u003e function incorrectly maps all authenticated Patreon accounts to the same local \u003ccode\u003euser.ID\u003c/code\u003e, instead of generating unique IDs based on the Patreon account data. This flaw, present in versions 1.18.0 through 1.25.1 of \u003ccode\u003ego-pkgz/auth\u003c/code\u003e and 2.0.0 through 2.1.1 of \u003ccode\u003ego-pkgz/auth/v2\u003c/code\u003e, arises because the code hashes an uninitialized field instead of the Patreon user ID. This means that all Patreon users are effectively treated as a single identity within applications using these libraries. The vulnerability poses a significant risk to applications relying on \u003ccode\u003etoken.User.ID\u003c/code\u003e for authentication and authorization decisions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user attempts to authenticate with an application using the affected \u003ccode\u003ego-pkgz/auth\u003c/code\u003e library and the Patreon OAuth provider.\u003c/li\u003e\n\u003cli\u003eThe application redirects the user to Patreon for authentication.\u003c/li\u003e\n\u003cli\u003eThe user authenticates with Patreon and is redirected back to the application with an authorization code.\u003c/li\u003e\n\u003cli\u003eThe application exchanges the authorization code for an access token.\u003c/li\u003e\n\u003cli\u003eThe application uses the access token to retrieve the user\u0026rsquo;s Patreon profile data.\u003c/li\u003e\n\u003cli\u003eThe application calls the vulnerable \u003ccode\u003emapUser\u003c/code\u003e function within the \u003ccode\u003ego-pkgz/auth\u003c/code\u003e library to map the Patreon user to a local user. Due to the vulnerability, all users are mapped to the same local user ID: \u003ccode\u003epatreon_da39a3ee5e6b4b0d3255bfef95601890afd80709\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application stores the mapped user object in JWT claims.\u003c/li\u003e\n\u003cli\u003eSubsequent requests from different Patreon users are treated as coming from the same user, potentially leading to data leakage, privilege escalation, or account takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability can lead to severe consequences for applications using the affected libraries. If successful, all Patreon-authenticated users may be collapsed into a single local account. This can result in data associated with one Patreon user being exposed to or overwritten by another. Additionally, Patreon-specific attributes like subscription status can leak across unrelated users. If the application grants elevated privileges to the local account associated with the shared Patreon ID, those privileges can effectively apply to every Patreon login.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ego-pkgz/auth\u003c/code\u003e to a version higher than 1.25.1 or \u003ccode\u003ego-pkgz/auth/v2\u003c/code\u003e to a version higher than 2.1.1 to patch CVE-2026-42560.\u003c/li\u003e\n\u003cli\u003eReview and update any existing applications using the vulnerable Patreon provider to ensure proper user ID mapping after patching CVE-2026-42560.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Patreon Auth ID Collision Attempt\u0026rdquo; to detect potential exploitation by monitoring for the specific user ID pattern \u003ccode\u003epatreon_da39a3ee5e6b4b0d3255bfef95601890afd80709\u003c/code\u003e in authentication logs.\u003c/li\u003e\n\u003cli\u003eImplement additional logging and monitoring to track user authentication events and identify any anomalies in user ID assignments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-patreon-auth-id-collision/","summary":"The Patreon OAuth provider in go-pkgz/auth and go-pkgz/auth/v2 maps every authenticated Patreon account to the same local user ID, leading to cross-account access, privilege confusion, and subscription-state leakage.","title":"Patreon OAuth Provider ID Collision Vulnerability in go-pkgz/auth","url":"https://feed.craftedsignal.io/briefs/2024-01-patreon-auth-id-collision/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["auth","auth/v2"],"_cs_severities":["critical"],"_cs_tags":["authentication","oauth","id_collision","vulnerability"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eA critical vulnerability exists in the Patreon OAuth provider within the \u003ccode\u003ego-pkgz/auth\u003c/code\u003e and \u003ccode\u003ego-pkgz/auth/v2\u003c/code\u003e libraries. Specifically, the \u003ccode\u003emapUser\u003c/code\u003e function incorrectly maps all authenticated Patreon accounts to the same local \u003ccode\u003euser.ID\u003c/code\u003e, instead of generating unique IDs based on the Patreon account data. This flaw, present in versions 1.18.0 through 1.25.1 of \u003ccode\u003ego-pkgz/auth\u003c/code\u003e and 2.0.0 through 2.1.1 of \u003ccode\u003ego-pkgz/auth/v2\u003c/code\u003e, arises because the code hashes an uninitialized field instead of the Patreon user ID. This means that all Patreon users are effectively treated as a single identity within applications using these libraries. The vulnerability poses a significant risk to applications relying on \u003ccode\u003etoken.User.ID\u003c/code\u003e for authentication and authorization decisions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user attempts to authenticate with an application using the affected \u003ccode\u003ego-pkgz/auth\u003c/code\u003e library and the Patreon OAuth provider.\u003c/li\u003e\n\u003cli\u003eThe application redirects the user to Patreon for authentication.\u003c/li\u003e\n\u003cli\u003eThe user authenticates with Patreon and is redirected back to the application with an authorization code.\u003c/li\u003e\n\u003cli\u003eThe application exchanges the authorization code for an access token.\u003c/li\u003e\n\u003cli\u003eThe application uses the access token to retrieve the user\u0026rsquo;s Patreon profile data.\u003c/li\u003e\n\u003cli\u003eThe application calls the vulnerable \u003ccode\u003emapUser\u003c/code\u003e function within the \u003ccode\u003ego-pkgz/auth\u003c/code\u003e library to map the Patreon user to a local user. Due to the vulnerability, all users are mapped to the same local user ID: \u003ccode\u003epatreon_da39a3ee5e6b4b0d3255bfef95601890afd80709\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application stores the mapped user object in JWT claims.\u003c/li\u003e\n\u003cli\u003eSubsequent requests from different Patreon users are treated as coming from the same user, potentially leading to data leakage, privilege escalation, or account takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability can lead to severe consequences for applications using the affected libraries. If successful, all Patreon-authenticated users may be collapsed into a single local account. This can result in data associated with one Patreon user being exposed to or overwritten by another. Additionally, Patreon-specific attributes like subscription status can leak across unrelated users. If the application grants elevated privileges to the local account associated with the shared Patreon ID, those privileges can effectively apply to every Patreon login.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ego-pkgz/auth\u003c/code\u003e to a version higher than 1.25.1 or \u003ccode\u003ego-pkgz/auth/v2\u003c/code\u003e to a version higher than 2.1.1 to patch CVE-2026-42560.\u003c/li\u003e\n\u003cli\u003eReview and update any existing applications using the vulnerable Patreon provider to ensure proper user ID mapping after patching CVE-2026-42560.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Patreon Auth ID Collision Attempt\u0026rdquo; to detect potential exploitation by monitoring for the specific user ID pattern \u003ccode\u003epatreon_da39a3ee5e6b4b0d3255bfef95601890afd80709\u003c/code\u003e in authentication logs.\u003c/li\u003e\n\u003cli\u003eImplement additional logging and monitoring to track user authentication events and identify any anomalies in user ID assignments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-patreon-auth-id-collision/","summary":"The Patreon OAuth provider in go-pkgz/auth and go-pkgz/auth/v2 maps every authenticated Patreon account to the same local user ID, leading to cross-account access, privilege confusion, and subscription-state leakage.","title":"Patreon OAuth Provider ID Collision Vulnerability in go-pkgz/auth","url":"https://feed.craftedsignal.io/briefs/2024-01-patreon-auth-id-collision/"}],"language":"en","title":"CraftedSignal Threat Feed — Auth","version":"https://jsonfeed.org/version/1.1"}