<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Nhost - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/nhost/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/nhost/feed.xml" rel="self" type="application/rss+xml"/><item><title>Nhost Account Takeover via OAuth Email Verification Bypass</title><link>https://feed.craftedsignal.io/briefs/2024-01-nhost-account-takeover/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-nhost-account-takeover/</guid><description>Nhost is vulnerable to account takeover due to improper OAuth email verification in Discord, Bitbucket, AzureAD, and EntraID providers, allowing attackers to merge an unverified OAuth identity into a victim's account.</description><content:encoded><![CDATA[<p>Nhost is vulnerable to account takeover due to improper OAuth email verification. The vulnerability stems from Nhost automatically linking incoming OAuth identities to existing Nhost accounts when email addresses match, without properly verifying the email with the OAuth provider. Several provider adapters, including Discord, Bitbucket, AzureAD, and EntraID, fail to correctly populate the <code>profile.EmailVerified</code> field. This allows an attacker to present an email they don't own to Nhost, have the OAuth identity merged into the victim's account, and gain a fully authenticated session. The vulnerable code is located in <code>services/auth/go/controller/sign_in_id_token.go</code>. Affected Nhost versions are prior to 0.0.0-20260417112436-ec8dab3f2cf4.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a target Nhost application that utilizes a vulnerable OAuth provider (Discord, Bitbucket, AzureAD, or EntraID).</li>
<li>The attacker creates an account on the chosen OAuth provider.</li>
<li>The attacker modifies their email address on the OAuth provider to match the email address of the victim's Nhost account. In the case of Discord, the attacker changes the email but skips the verification step.</li>
<li>The attacker initiates the &quot;Sign in with [OAuth Provider]&quot; flow on the target Nhost application.</li>
<li>Nhost's backend fetches the attacker's profile from the OAuth provider. Due to the vulnerability, Nhost incorrectly trusts the 'verified' status, even if the email is unverified.</li>
<li>Nhost locates the victim's account based on the matching email address.</li>
<li>Nhost links the attacker's OAuth provider identity to the victim's account in the database using the <code>InsertUserProvider</code> function.</li>
<li>Nhost generates a new session for the victim's account and provides it to the attacker, granting the attacker full access to the victim's account.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows for full account takeover of any existing Nhost user, without requiring any interaction from the victim. The attacker can then change the account email, disable other login methods, and permanently lock out the legitimate owner. This is particularly critical in applications with admin or privileged accounts, potentially leading to significant data breaches or unauthorized access to sensitive systems. The vulnerability affects Nhost versions prior to 0.0.0-20260417112436-ec8dab3f2cf4.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Nhost to a version containing the fix for this vulnerability (&gt;= 0.0.0-20260417112436-ec8dab3f2cf4).</li>
<li>Implement a controller-level guard that enforces email verification regardless of the adapter's reported <code>EmailVerified</code> status, as described in the &quot;Defense-in-Depth Gap&quot; section. This mitigates the risk of future vulnerabilities due to changes in OAuth provider APIs.</li>
<li>For Discord, apply the fix described in the advisory, adding the <code>Verified</code> field to the <code>discordUserProfile</code> struct and utilizing it in the <code>EmailVerified</code> assignment within the <code>providers/discord.go</code> file.</li>
<li>For Bitbucket, remove the fallback to unconfirmed emails as described in the advisory, preventing the adapter from using unverified emails in <code>providers/bitbucket.go</code>.</li>
<li>For AzureAD and EntraID, avoid falling back to <code>preferred_username</code> or UPN for account-linking email, as these fields do not prove email ownership, as documented in the advisory.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>oauth</category><category>account-takeover</category><category>nhost</category></item></channel></rss>