- Status Closed
- Assigned To No-one
- Private
Opened by bugf357 - 18.11.2025
Last edited by nferrari - 18.11.2025
FS#240 - Session Invalidation Flaw After OAuth Unlinking
Dear alwaysdata Security Team,
I have identified a high-severity session management vulnerability in your authentication system that allows persistent unauthorized account access even after OAuth providers are unlinked. This report includes complete reproduction steps, evidence, and impact analysis.
Quick Details: Vulnerability: Session Invalidation Flaw After OAuth Unlinking Severity: High (CVSS 7.6) Impact: Full account compromise persistence Category: Authentication & Session Management
Core Issue: When users unlink OAuth providers (Google/GitHub) from their accounts, existing OAuth sessions remain fully active with complete access to all account functionalities and sensitive operations.
Phase 1: Setup
Browser 1: Open Chrome → Login via Google OAuth
Browser 2: Open Firefox private → Login with email/password
Verify both sessions are active
Phase 2: Unlink OAuth
In Browser 2: Profile → Authentication → Unlink Google OAuth
Confirm successful unlinking
Phase 3: Validate Vulnerability
Return to Browser 1 (OAuth session)
Observe: No logout or session invalidation occurs
Test sensitive actions (all successful):
Change primary email address
Modify account password
Access billing/payment methods
Create/delete website services
Modify domain configurations
Proof of Concept : Attachments is there
Impact Assessment:
Account Takeover Persistence: Attackers maintain access after victims remove OAuth
Financial Fraud: Billing manipulation possible
Data Breach: Complete account data exposure
Service Disruption: Website/database modifications
Attack Scenarios:
Compromised OAuth → Victim unlinks → Attacker keeps access
Former Employee → OAuth unlinked → Session remains active
Session Hijacking → Permanent account control
Immediate Actions:
When OAuth is unlinked:
Invalidate all existing OAuth sessions for that user
Force re-authentication for affected sessions
Send session termination notifications
Log security event for audit
Alwaysdata.mp4
(5.94 MiB)
18.11.2025 14:10
Reason for closing: Duplicate
Additional comments about closing:
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task