OpenML Email Update Vulnerability Leading to Account Lockout

A denial-of-service vulnerability has been identified in the OpenML web application, specifically in version 2.0.20241110 and prior. The issue arises from the use of incremental user IDs and inadequate email ownership verification during email update processes. An authenticated attacker with a lower user ID can change their email address to that of another user with a higher user ID, without proper verification. This action transfers the victim's email to the attacker's account, immediately locking the victim out of their account and disrupting their access. While the vulnerability does not provide direct access to the victim's private data, it causes significant disruption by invalidating the victim's access token and hijacking their email address.

Impact

Exploiting this vulnerability locks the victim out of their account, as their email is reassigned to the attacker. This not only disrupts the victim's access but also allows the attacker to take over the account without knowing the victim's password.

Reproduction

To reproduce this vulnerability, first identify two user accounts with predictable incremental user IDs. Then, authenticate as the account with the lower user ID to obtain a bearer token. Next, update the account's email address to that of the victim's account (the one with the higher user ID). Once the email is updated, the victim will be locked out of their account, as their original email is now assigned to the attacker's account.

Remediation

Users are advised to update to a version of OpenML later than 2.0.20241110, where this vulnerability has been addressed.