Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove associate_by_email from the default social auth pipeline, which can allow for account takeovers #14946

Closed
remram44 opened this issue Jan 26, 2024 · 1 comment · Fixed by #15206
Closed

Remove associate_by_email from the default social auth pipeline, which can allow for account takeovers #14946

remram44 opened this issue Jan 26, 2024 · 1 comment · Fixed by #15206
Assignees
@abhi1693
Labels
status: accepted This issue has been accepted for implementation type: feature Introduction of new functionality to the application

Comments

@remram44
Copy link

remram44 commented Jan 26, 2024
edited
Loading

NetBox version

>=3.1.0 including 3.7.1

Feature type

Change to existing functionality

Proposed functionality

The default social auth pipeline used by NetBox includes associate_by_email. This is disabled by default in social auth for security reasons as it allows account takeover. Let's disable it to match social auth's defaults.

Use case

associate_by_email automatically links a new social login with any existing account that has the same email address. For example, if you allow social auth via Google and I have the superuser's email on my Google account, when I log in via Google, I am let into that superuser account.

This is safe if you are using an SSO system that validates email addresses (e.g. your company's SSO) but usually NOT for social login. Many sites will report email addresses even though they have not yet been validated.

This affected me as I use CILogon (which in turns uses a large variety of providers). It famously affects Google accounts as well (source).

Database changes

No response

External dependencies

No response
@remram44 remram44 added the type: feature Introduction of new functionality to the application label Jan 26, 2024
@remram44
Copy link
Author

This was filed as a security advisory first, I am re-filing as feature request as per @jeremystretch's comment.

remram44 added a commit to remram44/netbox that referenced this issue Jan 26, 2024
@remram44
Remove associate_by_email from default auth pipeline
8e11c67 
Fixes netbox-community#14946
@jeremystretch jeremystretch added the status: needs owner This issue is tentatively accepted pending a volunteer committed to its implementation label Jan 26, 2024
@abhi1693 abhi1693 self-assigned this Feb 20, 2024
@abhi1693 abhi1693 added status: accepted This issue has been accepted for implementation and removed status: needs owner This issue is tentatively accepted pending a volunteer committed to its implementation labels Feb 20, 2024
abhi1693 added a commit that referenced this issue Feb 20, 2024
@abhi1693
removed associate_by_email #14946
5f92ed6
@abhi1693 abhi1693 mentioned this issue Feb 20, 2024
Merged
jeremystretch pushed a commit that referenced this issue Feb 20, 2024
@abhi1693 @jeremystretch
removed associate_by_email #14946
8678d1a
jeremystretch added a commit that referenced this issue Feb 20, 2024
@jeremystretch
Changelog for #14405, #14587, #14946, #15090. #15174, #15177, #15184, #…
f751afc 
…15192
@jeremystretch jeremystretch mentioned this issue Feb 21, 2024
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@abhi1693 abhi1693

Labels
status: accepted This issue has been accepted for implementation type: feature Introduction of new functionality to the application
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Removed associate_by_email netbox-community/netbox
3 participants
@remram44 @abhi1693 @jeremystretch