Prevent login overrides with SSO feature
e
eriskhan
The new SSO feature of Strapi is great and it has it's pros - however, also cons. And the biggest con is that it's possible for intruder to access another user's account by creating an account on some provider with an e-mail of such admin user. For example, let's say you have two provider: Google and Sign in with Apple. An admin panel user has an Apple ID, but doesn't have a Google account. An intruder wants to access the system and knows an email of the user. He creates a Google account with an e-mail address of a user. Then he logs in to the admin panel without any problems under that user's account and gains access to the data in Strapi.
j
jeff.tian
I can't understand. Can anyone create a Google account with another person's email? Won't Google authenticate that email?
From the reproduce step seems it says:
- Add an admin panel user with an email, say someone@some.domain and password.
- Add two SSO providers, and there is an apple ID for someone@some.domain, but no Google account.
- ...
- I don't understand this part: The intruder create a Google account with the same email someone@some.domain ? How can the intruder uses someone's email? without the someone@some.domain holder to activate that Google account?
R
Rodrigo Rubio
Considering that SSO is an enterprise feature, this should be fixed as a matter of urgency. Risks are loosing potential clients to bugs like this, and how long its taken to patch.