{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/authorizer/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Authorizer"],"_cs_severities":["high"],"_cs_tags":["redirect-uri","account-takeover","authorization"],"_cs_type":"advisory","_cs_vendors":["Authorizer"],"content_html":"\u003cp\u003eAuthorizer, a Go-based authentication and authorization service, is susceptible to a critical vulnerability affecting versions prior to commit 73679fa. This vulnerability allows attackers to inject arbitrary redirect URIs into several endpoints, including ForgotPassword, MagicLinkLogin, Signup, InviteMembers, OAuthLoginHandler, and VerifyEmailHandler. The root cause is the lack of proper validation of the \u003ccode\u003eredirect_uri\u003c/code\u003e parameter against the configured \u003ccode\u003eAllowedOrigins\u003c/code\u003e in these endpoints. By exploiting this flaw, attackers can redirect users to malicious sites and steal sensitive information such as password reset tokens, magic link tokens, and full authentication tokens (access_token, id_token, refresh_token). This poses a significant threat as it bypasses intended security configurations and can lead to account takeover and unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious URL containing a vulnerable Authorizer endpoint (e.g., ForgotPassword) and injects an attacker-controlled \u003ccode\u003eredirect_uri\u003c/code\u003e pointing to a malicious site (e.g., \u003ccode\u003ehttps://attacker.com/steal\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe victim initiates a password reset request, signup, magic link login, or other vulnerable action on the legitimate Authorizer instance.\u003c/li\u003e\n\u003cli\u003eAuthorizer generates a password reset token, magic link token, or full auth tokens and appends it to the attacker-controlled \u003ccode\u003eredirect_uri\u003c/code\u003e without validation.\u003c/li\u003e\n\u003cli\u003eThe victim receives a legitimate email or link from Authorizer containing the malicious URL.\u003c/li\u003e\n\u003cli\u003eThe victim clicks the link, redirecting their browser to the attacker-controlled site.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled site receives the sensitive token or full auth tokens as URL parameters (e.g., \u003ccode\u003ehttps://attacker.com/steal?token=\u0026lt;reset_token\u0026gt;\u003c/code\u003e or \u003ccode\u003ehttps://attacker.com/steal?access_token=\u0026lt;access_token\u0026gt;\u0026amp;id_token=\u0026lt;id_token\u0026gt;\u0026amp;refresh_token=\u0026lt;refresh_token\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker harvests the token(s) from the URL.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen token(s) to reset the victim's password, gain unauthorized access to their account, or impersonate the victim.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability can lead to complete account takeover due to stolen password reset tokens and full session compromise via stolen access tokens, ID tokens, and refresh tokens. It also affects passwordless login mechanisms by compromising magic link tokens. The attacker requires no prior authentication and only needs to trick the victim into clicking a link. This vulnerability affects any Authorizer instance running a vulnerable version, potentially impacting all users of applications relying on the vulnerable Authorizer service. The exposure of tokens in URL parameters also leads to information leakage through browser history, server logs, and referrer headers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Authorizer to a version containing the fix for this vulnerability (\u0026gt;= commit after 73679fa).\u003c/li\u003e\n\u003cli\u003eImplement robust validation of the \u003ccode\u003eredirect_uri\u003c/code\u003e parameter in all affected endpoints, specifically ForgotPassword, MagicLinkLogin, Signup, InviteMembers, OAuthLoginHandler, and VerifyEmailHandler, using a function similar to \u003ccode\u003evalidators.IsValidOrigin()\u003c/code\u003e as used in \u003ccode\u003e/app\u003c/code\u003e handler.\u003c/li\u003e\n\u003cli\u003eModify the default \u003ccode\u003eAllowedOrigins\u003c/code\u003e in \u003ccode\u003ecmd/root.go\u003c/code\u003e to a more restrictive value than \u003ccode\u003e[\u0026quot;*\u0026quot;]\u003c/code\u003e to force explicit configuration and prevent the OAuth endpoint's validation from becoming a no-op.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Redirect URI Parameters\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the affected Authorizer endpoints containing suspicious \u003ccode\u003eredirect_uri\u003c/code\u003e parameters, using the IOC \u003ccode\u003ehttps://attacker.com/steal\u003c/code\u003e as a starting point for identifying attacker infrastructure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-authorizer-redirect-uri/","summary":"Authorizer is vulnerable to unvalidated redirect URI injection in multiple endpoints, allowing attackers to steal password reset tokens, magic link tokens, and full authentication tokens by redirecting users to attacker-controlled sites.","title":"Authorizer Unvalidated Redirect URI Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-09-authorizer-redirect-uri/"}],"language":"en","title":"CraftedSignal Threat Feed - Authorizer","version":"https://jsonfeed.org/version/1.1"}