Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 26 May 2015 13:56:13 +0200
From: Douwe Maan <>
Cc: Erik Michaels-Ober <>
Subject: CVE Request: CSRF vulnerability in OmniAuth request phase

Affected software: 
- Ruby gem (library) OmniAuth[0]
- Gems that use OmniAuth, e.g. Devise[1]

Type of vulnerability: 
Cross-Site Request Forgery

Original report by: 
Mohamed Abdelbaset Elnoby, Senior Information Security Analyst at[2]
[The website isn’t currently working.]


OmniAuth is a library used in Ruby web applications to authenticate users using 
external services, for example OAuth providers. 

The request phase of OmniAuth is vulnerable to Cross-Site Request Forgery. This 
is the step that actually connects an external account (on a connected OAuth 
provider) to an internal account (on the web application itself). This means 
that when a client is signed into an account on the web application, and signed 
into an account on a connected OAuth provider, these two accounts can be 
connected without user intent, user interaction or feedback to the user. From 
here on out, the external account can be used to sign into the web application 
as the internal account. 

If the sign in action at a connected OAuth provider is vulnerable to CSRF, an 
attacker can force the victim’s client to be logged into the external service 
using an account beloning to the attacker, can then force this external account 
to be connected to the internal account, and can from here on out use their 
account on the external service to log into the victim’s account on the targeted 

We are aware of one large OAuth provider where the sign in action is or was 
vulnerable to CSRF.

Issue report and patch:



Douwe Maan

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.