Github Oauth is tied to username at /edit/elsewhere instead of email
State Resolved (Closed)
Disclosed publicly 2018-12-02T16:42:41.425Z
Reported To
Weakness Improper Access Control - Generic
Bounty
Collapse


Timeline
submitted a report to Liberapay .
2018-11-30T00:23:31.857Z

When a user verifies a Github account at /edit/elsewhere the final result is a Github username tied to a Liberapay account. The issue is Github usernames are mutable.

Consider the scenario.

  1. I create an account called ed-liberapay (something likely to be claimed in the future)
  2. Verify that I own that Github account on liberapay.com/edit/elsewhere
  3. I go to my Github and update my username (this doesn't change anything on liberapay.com and Github won't redirect old links to the account to the new location)
  4. Eventually that account is claimed by Ed and he creates impressive repos.
  5. I go and import the repos into my account and pretend to own it.

Impact

This can enable impersonation.

I suspect the issue is caused in this function:

https://github.com/liberapay/liberapay.com/blob/master/liberapay/elsewhere/_base.py#L266

I haven't set up my own instance to see if GitHub is indeed going through the username path but in practice I was able to set up 2 accounts as described. Change the name of the attacker to something else and then import a different account's repos as my own.

Regards,
Frans

  • 0 attachments:
Activities::Comment
2018-11-30T00:23:32.092Z
Thank you for your submission! We have received your report and a security analyst will respond shortly.


edoverflow Activities::Comment
2018-11-30T12:13:48.711Z
Hi @emitrani, Thank you for the report. We are currently reviewing the potential issue you described above. \- Ed


edoverflow Activities::BugTriaged
2018-11-30T14:11:28.716Z
@karel_origin and I were able to reproduce this issue. We will mark this report as triaged and start discussing the security implications internally with the team. Thank you for your patience, @emitrani. \- Ed


changaco Activities::Comment
2018-12-01T11:08:56.094Z
This vulnerability is difficult to exploit and only works for a limited amount of time, because we automatically refresh GitHub user data every 90 days. The following patch should prevent the impersonation completely, by checking the immutable user ID when fetching the repositories: https://github.com/liberapay/liberapay.com/pull/1364/commits/8aa7fa3e9137269c436b5b5741dc2e927b73a9b0


emitrani Activities::Comment
2018-12-01T14:49:28.435Z
Hi @changaco, Checking the account id before importing will fix the scenario I describe but the link on the profile page will remain until token is refreshed or an invalid import attempt is made. Profile of a person can link to an empty GutHub profile or one claimed by someone else. Still this patch solve the most problematic importing someone else's repos issue. Best, Eray


karel_origin Activities::BugResolved
2018-12-01T15:56:07.362Z
Thank you for reporting this issue to us!


changaco Activities::AgreedOnGoingPublic
2018-12-02T09:40:38.258Z


emitrani Activities::AgreedOnGoingPublic
2018-12-02T16:42:41.387Z
Small note to people reading this, If you look at how a bug you find is fixed you will become better hackers. Thanks to this report I learned about immutable account ids on GitHub.


emitrani Activities::ReportBecamePublic
2018-12-02T16:42:41.442Z