Several applications implementing “Sign in with GitHub” have been found to be
using a mutable identifier (username) to match external users to the internal
user management system. This allows attackers to completely take over accounts
whose GitHub username has changed.
If you changed your GitHub username (or a username on any other "Sign in with
..." provider), you should create a new account with your old username
immediately. This will prevent attackers from claiming your old username and
gaining access to the application in your name.
Those applications we found vulnerable to this issue have been contacted.
OAuth2 / OpenID Connect Sign In Flow
Using OAuth 2.0 or OpenID Connect for federated login is common practice, and
many web apps allow you to “Sign in with X”. The vulnerability that was found
applies specifically to applications that implement “Sign in with GitHub” and
that rely on the username to match the GitHub user with the internal user. Here
is what a vulnerable “Sign in with GitHub” looks like:
- User visit a web application that implements “Sign in with GitHub”.
- User hits “Sign in with GitHub”.
- After performing the OAuth2 / OpenID Connect flow, the user lands back at the
web application, with proof of authorization (in case of OAuth2) /
authentication (in case of OpenID Connect).
- The web application is using an endpoint, for example
/userinfo, to access
user information (emails, user id, username, …).
- The site chooses to use the GitHub username as the basis to match the GitHub
user to the internal user. Internally, the app might keep information on
payments, invoices, and other data.
Since the username is mutable on GitHub (you can change your username), and not
updated at the web application’s internal system, accounts that rename their
GitHub username will be locked out of their account at the web app. If someone
sets up a new account using the old GitHub username, it will look like it is the
right user. The attacker will have access to the full account without
limitations.
You can confirm that your/a web app is using a mutable identifier (e.g.
username) to match the external (e.g. GitHub) user to the internal (e.g. MyApp)
one with the following steps:
- Sign up a new user at GitHub with username foo.
- Sign in at MyApp using “Sign in with GitHub.
- Sign out of MyApp.
- Rename the GitHub username to bar.
- Try to sign back into MyApp using “Sign in with GitHub”. If you are locked out
of your account, MyApp is vulnerable.
The following steps should be taken immediately:
- If you renamed your username (or email) at any web application that provides
developers with “Sign in with …”, create a new account with your old
username/email immediately. This will prevent attackers from “claiming” your
old username and tricking the application that implements “Sign in with …”
into believing it’s you.
- If your web application implements “Sign in with …”, make sure you are using
an immutable property (like the user id) to match users with your internal
user management. If you’re not doing that, change this immediately.
Why disclose this publicly:
- Most vulnerable apps don’t know it yet. By writing this blog post I want to
give you the chance to claim your old username(s) immediately and mitigate
this issue without waiting for apps to fix this.
- I am not a pentester and do not have time to scan all the sites that might be
vulnerable to this. I hope that the community can rise to the challenge and
let companies know if their "Sign in with ..." flow is broken.
- I have found open source technology implementing “OAuth2 Sign In” in such a
way that makes it really easy to be vulnerable to this issue, implying this
issue might be widespread. Where possible, I contacted the open source
maintainers. But some projects have been abandoned for a while and there is
little chance of this being fixed. I hope this blog post raises awareness for
this issue.
If you want to avoid similar mistakes, Ory is developing the next-generation,
open source identity infrastructure. You should check out our
GitHub.
