{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/nhost/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Nhost"],"_cs_severities":["critical"],"_cs_tags":["oauth","account-takeover","nhost"],"_cs_type":"advisory","_cs_vendors":["Nhost"],"content_html":"\u003cp\u003eNhost is vulnerable to account takeover due to improper OAuth email verification. The vulnerability stems from Nhost automatically linking incoming OAuth identities to existing Nhost accounts when email addresses match, without properly verifying the email with the OAuth provider. Several provider adapters, including Discord, Bitbucket, AzureAD, and EntraID, fail to correctly populate the \u003ccode\u003eprofile.EmailVerified\u003c/code\u003e field. This allows an attacker to present an email they don't own to Nhost, have the OAuth identity merged into the victim's account, and gain a fully authenticated session. The vulnerable code is located in \u003ccode\u003eservices/auth/go/controller/sign_in_id_token.go\u003c/code\u003e. Affected Nhost versions are prior to 0.0.0-20260417112436-ec8dab3f2cf4.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target Nhost application that utilizes a vulnerable OAuth provider (Discord, Bitbucket, AzureAD, or EntraID).\u003c/li\u003e\n\u003cli\u003eThe attacker creates an account on the chosen OAuth provider.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies their email address on the OAuth provider to match the email address of the victim's Nhost account. In the case of Discord, the attacker changes the email but skips the verification step.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the \u0026quot;Sign in with [OAuth Provider]\u0026quot; flow on the target Nhost application.\u003c/li\u003e\n\u003cli\u003eNhost's backend fetches the attacker's profile from the OAuth provider. Due to the vulnerability, Nhost incorrectly trusts the 'verified' status, even if the email is unverified.\u003c/li\u003e\n\u003cli\u003eNhost locates the victim's account based on the matching email address.\u003c/li\u003e\n\u003cli\u003eNhost links the attacker's OAuth provider identity to the victim's account in the database using the \u003ccode\u003eInsertUserProvider\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eNhost generates a new session for the victim's account and provides it to the attacker, granting the attacker full access to the victim's account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows for full account takeover of any existing Nhost user, without requiring any interaction from the victim. The attacker can then change the account email, disable other login methods, and permanently lock out the legitimate owner. This is particularly critical in applications with admin or privileged accounts, potentially leading to significant data breaches or unauthorized access to sensitive systems. The vulnerability affects Nhost versions prior to 0.0.0-20260417112436-ec8dab3f2cf4.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Nhost to a version containing the fix for this vulnerability (\u0026gt;= 0.0.0-20260417112436-ec8dab3f2cf4).\u003c/li\u003e\n\u003cli\u003eImplement a controller-level guard that enforces email verification regardless of the adapter's reported \u003ccode\u003eEmailVerified\u003c/code\u003e status, as described in the \u0026quot;Defense-in-Depth Gap\u0026quot; section. This mitigates the risk of future vulnerabilities due to changes in OAuth provider APIs.\u003c/li\u003e\n\u003cli\u003eFor Discord, apply the fix described in the advisory, adding the \u003ccode\u003eVerified\u003c/code\u003e field to the \u003ccode\u003ediscordUserProfile\u003c/code\u003e struct and utilizing it in the \u003ccode\u003eEmailVerified\u003c/code\u003e assignment within the \u003ccode\u003eproviders/discord.go\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eFor Bitbucket, remove the fallback to unconfirmed emails as described in the advisory, preventing the adapter from using unverified emails in \u003ccode\u003eproviders/bitbucket.go\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFor AzureAD and EntraID, avoid falling back to \u003ccode\u003epreferred_username\u003c/code\u003e or UPN for account-linking email, as these fields do not prove email ownership, as documented in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-nhost-account-takeover/","summary":"Nhost is vulnerable to account takeover due to improper OAuth email verification in Discord, Bitbucket, AzureAD, and EntraID providers, allowing attackers to merge an unverified OAuth identity into a victim's account.","title":"Nhost Account Takeover via OAuth Email Verification Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-nhost-account-takeover/"}],"language":"en","title":"CraftedSignal Threat Feed - Nhost","version":"https://jsonfeed.org/version/1.1"}