Headline
GHSA-9wgg-m99q-hhfc: Expired tokens can be renewed without validating the account password
Impact
In versions of the proxy from 2022-09-05
onwards (since 8c874c2ff3d503ac20c7d32f46e08547fcb9e23f), expired authorisation tokens could be renewed automatically without checking their validity against the original account configuration (i.e., the password that was set up when first configuring the account).
An attacker with knowledge of valid account addresses and careful timing (i.e., attempting to log in during a period from 10 minutes prior to the token expiry time, but before a genuine login request is received) could use this issue to gain access to an account.
This issue is not a concern if you only use the proxy on a local device. It is also not an issue if you are using the O365 resource owner password credentials grant (ROPCG) flow.
If you use the proxy in a publicly-accessible setting (i.e., it is available from the internet or another network), you should upgrade to version 2023-12-19
immediately.
Patches
Email OAuth 2.0 Proxy version 2023-12-19
fixes this issue.
Detecting unauthorised access
In most standard configurations (specifically, when not using the O365 client credentials grant (CCG) flow), unauthorised access will be revealed by the presence of an unexpected reauthorisation prompt from the proxy when attempting to log in with the correct password.
It is not possible to detect unauthorised access in O365 CCG mode except via AAD/Entra or other external logs. However, it is also worth reiterating that the CCG flow should never be used in a publicly-accessible context due to the significant and potentially dangerous account control it provides.
Impact
In versions of the proxy from 2022-09-05 onwards (since 8c874c2ff3d503ac20c7d32f46e08547fcb9e23f), expired authorisation tokens could be renewed automatically without checking their validity against the original account configuration (i.e., the password that was set up when first configuring the account).
An attacker with knowledge of valid account addresses and careful timing (i.e., attempting to log in during a period from 10 minutes prior to the token expiry time, but before a genuine login request is received) could use this issue to gain access to an account.
This issue is not a concern if you only use the proxy on a local device. It is also not an issue if you are using the O365 resource owner password credentials grant (ROPCG) flow.
If you use the proxy in a publicly-accessible setting (i.e., it is available from the internet or another network), you should upgrade to version 2023-12-19 immediately.
Patches
Email OAuth 2.0 Proxy version 2023-12-19 fixes this issue.
Detecting unauthorised access
In most standard configurations (specifically, when not using the O365 client credentials grant (CCG) flow), unauthorised access will be revealed by the presence of an unexpected reauthorisation prompt from the proxy when attempting to log in with the correct password.
It is not possible to detect unauthorised access in O365 CCG mode except via AAD/Entra or other external logs. However, it is also worth reiterating that the CCG flow should never be used in a publicly-accessible context due to the significant and potentially dangerous account control it provides.
References
- GHSA-9wgg-m99q-hhfc
- simonrob/email-oauth2-proxy@8c874c2
- simonrob/email-oauth2-proxy@eaaa1a2
- https://github.com/simonrob/email-oauth2-proxy/releases/tag/2023-12-19