Authentication Bypass by Primary Weakness in firefly-iii/firefly-iii
Oct 23rd 2021
Firefly 3 allows users to register OAuth clients. However, Firefly allows duplicate client names to be registered into the application. Hence, attackers from a different account (assuming registration is enabled) can register a client with duplicate client name and trick the user into accepting the authorization request, gaining access to their account.
Proof of Concept
1: Two accounts. Register OAuth client "Legit Application" onto account 1.
2: Register OAuth client "Legit Application" onto account 2 with redirect_uri as http://[MALICIOUS-SERVER].
3: On session with account 1, access the following link:
4: Notice that the OAuth prompt still uses "Legit Application" name, which user Account 1 would implicitly trust.
5: If the attacker manages to retrieve the auth code through the GET request to the malicious server via the victim clicking the button then they can send it together with their client secret to retrieve the access token.
6: And with the access_token, by using it in the Authorization: Bearer header I can now access API as my victim account
The following are the available APIs (from your Swagger document) which Auth bearer header can be used with: https://api-docs.firefly-iii.org/#/about/getCurrentUser
An attacker can send the OAuth link to a user in an email and allow the attacker to interact with the API using the victim account via tricking them into accepting the OAuth authorization with a duplicate client name which they trust.
Either display OAuth redirect_uri in the authorization page or prevent duplicate client names.