Impact

On UTC-5 24-02-03 14:18 we became aware of a security vulnerability in our platform, which allowed unauthorized access via the Microsoft login integration. The issue was reactively discovered by an independent security researcher, who reported it through our Bug Bounty Program. The problem was mitigated 72 minutes (TTF) after the report.

Upon investigating the platform logs, we confirmed that the security researcher limited their exploration to demo groups and did not attempt to access client information. Additionally, there were no previous attempts at exploiting this vulnerability.

Consequently, there was no actual compromise of user data.

Cause

The platform received the user's email from the authentication provider and trusted it as legitimate, proceeding to create a session without additional verification. This approach assumed that the email provided by the authentication provider was verified, based on the behavior of other providers like Google and Bitbucket, which do verify email addresses as a courtesy, although this is not mandated by the OAuth2 specification [1].

Solution

Immediate mitigation was implemented by enabling the "removeUnverifiedEmailClaim" option in Microsoft's Graph API to prevent unverified emails from being included in the authentication response content, thus making the platform reject such login attempts.

Further hardenings for the authentication flow were implemented in the following days, including checking the OAuth2 subject claim [2].

Conclusion

This incident revealed the need for a more nuanced understanding of OAuth2 implementations and the behavior of various authentication providers.

Moving forward, we have implemented additional security measures, such as OTP verification via Email, SMS and WhatsApp for logging attempts on unknown devices [3].

INCOMPLETE_PERSPECTIVE