Skip to content

Account takeover when having only access to a user's short lived token

High
sebastian-wire published GHSA-6f4c-phfj-m255 Oct 4, 2021

Package

wire-ios (wire)

Affected versions

< 3.86

Patched versions

3.86

Description

Impact

If the an attacker gets old a valid access token he/she can take over an account by changing the email.

Patches

Use new endpoint which additionally requires an authentication cookie (handle in sync engine and transport).

This is the root advisory that pulls the changes together.

References

GHSA-9rm2-w6pq-333m

Severity

High

CVE ID

CVE-2021-41093

Weaknesses

No CWEs