|
Task Description
Dear alwaysdata Security Team,
I have identified a high-severity session management vulnerability in your authentication system that allows persistent unauthorized account access even after OAuth providers are unlinked. This report includes complete reproduction steps, evidence, and impact analysis.
Quick Details: Vulnerability: Session Invalidation Flaw After OAuth Unlinking Severity: High (CVSS 7.6) Impact: Full account compromise persistence Category: Authentication & Session Management
Core Issue: When users unlink OAuth providers (Google/GitHub) from their accounts, existing OAuth sessions remain fully active with complete access to all account functionalities and sensitive operations.
Phase 1: Setup
Browser 1: Open Chrome → Login via Google OAuth
Browser 2: Open Firefox private → Login with email/password
Verify both sessions are active
Phase 2: Unlink OAuth
In Browser 2: Profile → Authentication → Unlink Google OAuth
Confirm successful unlinking
Phase 3: Validate Vulnerability
Return to Browser 1 (OAuth session)
Observe: No logout or session invalidation occurs
Test sensitive actions (all successful):
Change primary email address
Modify account password
Access billing/payment methods
Create/delete website services
Modify domain configurations
Proof of Concept : Attachments is there
Impact Assessment:
Account Takeover Persistence: Attackers maintain access after victims remove OAuth
Financial Fraud: Billing manipulation possible
Data Breach: Complete account data exposure
Service Disruption: Website/database modifications
Attack Scenarios:
Compromised OAuth → Victim unlinks → Attacker keeps access
Former Employee → OAuth unlinked → Session remains active
Session Hijacking → Permanent account control
Immediate Actions:
When OAuth is unlinked:
Invalidate all existing OAuth sessions for that user
Force re-authentication for affected sessions
Send session termination notifications
Log security event for audit
|
