[Openid-specs-ab] 1-click account hijack for anyone using Google sign-in with Gitlab, due to response-type switch + leaking to gitlab-api.arkoselabs.com that has XSS
Nat Sakimura
nat at nat.consulting
Tue Jul 25 01:01:19 UTC 2023
For those of you who are in IETF, hope you are having good time.
Here is a vulnerability reported by Frans Rosén
https://gitlab.com/gitlab-org/gitlab/-/issues/362394
and
https://user-content.gitlab-static.net/36d11caeb269229319a2912b9719ed1d55ec1af9/68747470733a2f2f68312e7365632e6769746c61622e6e65742f612f35616565376137322d643935372d343265652d393631652d3362393436613564323538642f6769746c61622d68696a61636b2e6d7034
Maybe we should make nonce mandatory in OpenID Connect 1.1.
Also, stronger recommendations on the use of request objects.
Best,
Nat Sakimura
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230725/80ba04a9/attachment.html>
More information about the Openid-specs-ab
mailing list