This article is more than 1 year old

Doorkeeper OAuth vuln

A popular open source OAuth 2 provider for Rails, "Doorkeeper", needs patching after two security researchers independently turned up token revocation errors in it.

Detailed by Justin Bell at Bugtraq, there were two serious gaps in the implementation.

First: Doorkeeper wouldn't revoke tokens on request by public clients. Second: requests weren't authenticating client credentials properly. As a result, Bell writes, requests were not authorising confidential clients to revoke tokens.

As a result, Oauth 2.0 clients weren't properly logged out: their access and refresh tokens weren't revoked, so an attacker who had hijacked a session could impersonate them.

The bug has been assigned CVE-2016-6582, and Doorkeeper has patched the issue in the most current version, 4.2.0.

The same issue was independently discovered by Jonathan Clem and posted to Doorkeeper's GitHub issues tracker. ®

More about

TIP US OFF

Send us news