-
The current API for pluggable authentication is easily prone to account hijacking, either if the authentication source allows changing email addresses and/or if the authentication source doesn't enforce email address uniqueness. The 2 authentication plugins we have surveyed (LDAP Auth and OIDC Auth) are unfortunately both subject to this vulnerability. We are in the process of opening issues with the authors of those plugins to make them aware of this issue. The general fix (also applicable to both those cases) would be to store a known unique and non-modifiable attribute returned by the upstream identity provider alongside the user's email address in the Pretix User object, to store this when the authentication plugin creates a user from an external identity source, and to compare it on subsequent login attempts. Pretix should offer such a field on the User object so that not every authentication plugin has to implement their own. I would also suggest that the pluggable authentication API be changed to make such a unique and non-modifiable upstream identity provider attribute mandatory. This would greatly improve the security of auth plugins by alleviating the whole class of email address base account hijacking by default. Auth plugins that are happy and sure the email address is immutable and unique in the identity provider could still throw in the email address in said field, or even always the same hardcoded value for every user, but it would be a conscious decision by the plugin developer and not a potentially insecure default. I would furthermore suggest this unique and non-modifiable upstream identity provider attribute be made mandatory by the Pretix API such that plugin authors have to adhere by it. For example the docs makes the requirement that an auth plugin only authenticates users it created itself, the OIDC plugin does not check that (I would argue this requirement should also be checked by Pretix code and not left to auth plugin authors, but that's another issue). |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 4 replies
-
Regarding that last point I misread the docs, the docs only say a login should be refused if the user was not created by the auth plugin, sorry. |
Beta Was this translation helpful? Give feedback.
-
🚨 First of all, mostly for anyone else reading this and having similar thoughts, if you find security-sensitive issues in pretix or its ecosystem, please do not open a public issue or discussion, but coordinate with security@pretix.eu first so we can figure out if this is something we need to fix very very quickly before it gets publicly known. This case is on the very edge of this distinction and I'm not sure where it should have fallen, but now here we are :) I think this one is only directly exploitable for account takeover if the authentication backend source contains unverified/untrusted email address assignments. Since this is mostly used in contexts where the authentication backend is a company's central identity storage, this should be a very rare case.
I agree.
I don't think that's something we can easily do without a long deprecation period. Mostly because if we do this change, then every plugin will need to find its own way of filling up the identity attribute for all existing users. Possibly this will require all users to log in at least once after the change to work. (I'm also not sure if every possible identity service provides this, but in that case you could still fall back to using the email address as well).
I don't think we technically cannot really enforce that, since the plugins just work with plain django objects and django authentication APIs. |
Beta Was this translation helpful? Give feedback.
-
Here's a proposal for a fix, happy for feedback: #2466 |
Beta Was this translation helpful? Give feedback.
Here's a proposal for a fix, happy for feedback: #2466