WorkOS AuthKit for Remix Sensitive Data Exposure Vulnerability

A vulnerability in the AuthKit library for Remix, specifically in versions prior to 0.15.0, allowed sensitive authentication data, including the access token and sealed session, to be exposed. This data was returned by the authkitLoader and rendered in the browser's HTML, creating a risk of session hijacking, particularly in environments vulnerable to cross-site scripting (XSS) or with certain malicious browser extensions.

Impact

The exposure of access tokens and session data could lead to session hijacking, allowing an attacker to impersonate a user or gain unauthorized access to resources.

Reproduction

This vulnerability can be reproduced by using the AuthKit library for Remix in a version prior to 0.15.0. The authkitLoader function can be called, and the response will include the accessToken and sealedSession. These values will be rendered into the HTML, where they can be accessed by the user or potentially exploited by an attacker.

Remediation

Users can upgrade to AuthKit version 0.15.0 or later, where this vulnerability has been patched. In the updated version, the accessToken and sealedSession are no longer returned by default from the authkitLoader. Instead, a secure server-side method is available to fetch the access token when needed.