TYPO3 OpenID Connect Authentication Extension Account Takeover Vulnerability

A vulnerability allowing account takeover has been identified in the OpenID Connect Authentication extension for TYPO3, versions prior to 4.0.0. The issue arises from the account linking logic, which permits a pre-hijacking attack. Exploitation requires that an attacker can predict a user's email address, register a public frontend user account with that email before the user's first OIDC login, and that the Identity Provider (IDP) returns the email field containing the user's email address.

Impact

Exploitation of this vulnerability allows for unauthorized account access, leading to account takeover.

Remediation

Users are advised to update the OpenID Connect Authentication extension to version 4.0.0, available through the TYPO3 extension manager, Packagist, or by downloading the ZIP file from the TYPO3 extensions website. Note that the updated version introduces a breaking change by removing the username field from the OIDC authentication service user lookup. Users who need to restore this functionality can use the AuthenticationFetchUserEvent to modify the lookup criteria, ensuring it does not include user-generated content.