Immich Account Hijacking Vulnerability via OAuth2 State Parameter Mismanagement

A vulnerability in Immich versions prior to 1.132.0 allows for account hijacking through improper handling of the OAuth2 state parameter, which is not adequately verified before use. This oversight can be exploited by linking an attacker's account to that of a victim, particularly when using a public OAuth provider like Google. The issue arises because the state parameter, akin to a CSRF token, is generated and saved in the browser session but not checked before the user is redirected back to Immich. When the /user-settings page is used as a redirect URI, accounts can be automatically linked if the user is already logged in, facilitating unauthorized access to the victim's account using their OAuth credentials.

Impact

Exploitation of this vulnerability allows attackers to hijack user accounts by linking them to their own OAuth accounts, with potential access to sensitive information and account functionalities. If an admin account is compromised, it could lead to broader access and control over the Immich instance.

Reproduction

To reproduce this vulnerability, initiate the OAuth flow by sending a login request to a public OAuth provider with a forged state parameter. After logging in, block the redirect back to the Immich instance. Once the OAuth flow is complete, the account will be linked to the attacker's account. This can be automated or embedded in a webpage.

Remediation

Users are advised to update to Immich version 1.132.0 or later.