WSO2 Products Cross-Tenant Authentication Vulnerability Allowing Account Takeover

A cross-tenant authentication vulnerability has been identified in multiple WSO2 products, including WSO2 Identity Server, WSO2 Identity Server as Key Manager, and WSO2 Open Banking IAM. This vulnerability arises from improper cryptographic design in Adaptive Authentication, where a single cryptographic key is used across all tenants to sign authentication cookies. This flaw enables a privileged user in one tenant to forge authentication cookies for users in other tenants. The issue is exacerbated by the fact that the Auto-Login feature is enabled by default, potentially allowing an attacker to gain unauthorized access and take over accounts in other tenants. Exploitation requires access to the Adaptive Authentication functionality, which is typically restricted to high-privileged users, and is only possible when Auto-Login is enabled.

Impact

Successful exploitation could lead to unauthorized access and account takeover across multiple tenants, allowing an attacker to impersonate a victim.

Remediation

WSO2 community users are advised to migrate to the latest version of the respective WSO2 products. Support subscription holders should update their product to the specified update level or a higher update level to apply the fix.