Moreover, OpenID Connect also allows dynamic client registration. However, some well-known OIDC providers (like Microsoft Azure) make it very easy to accidentally allow unverified e-mail changes. The severity is medium, as it also requires the external authentication provider to misbehave. All users logging in through external authentication providers are affected. However, using the e-mail address alone means that if the authentication provider allows changing the e-mail address of an account, the Mastodon account can immediately be hijacked. When a user logs in through an external authentication provider for the first time, Mastodon checks the e-mail address passed by the provider to find an existing account. This results in a possible account takeover if the authentication provider allows changing the e-mail address or multiple authentication providers are configured. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. Mastodon is a free, open-source social network server based on ActivityPub.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |