Basecamp Google Sign-In Same-Origin Bypass Vulnerability Leading to Improper Redirects

A vulnerability in Basecamp's Google Sign-In for Rails applications, prior to version 1.3.0, allows for the creation of malformed URLs that bypass the same-origin policy check. This flaw can redirect users to unintended origins. The issue is particularly concerning for Rails applications that store flash data in session cookies, as it could be exploited by injecting arbitrary data into the session cookie. The vulnerability has been patched in version 1.3.0. For those unable to upgrade, the session cookie's SameSite attribute can be set to Lax or Strict to mitigate the risk.

Impact

Exploitation of this vulnerability could lead to unauthorized redirection of users, potentially allowing for the interception of authentication tokens or other sensitive information.

Reproduction

The vulnerability can be reproduced by crafting a malformed URL that is accepted by the same-origin check but redirects to a different origin. This crafted URL can then be used in a context where the application expects a valid URL, such as a redirect after authentication. If the application is configured to store session data in cookies, this can be combined with an attack that injects data into the session cookie, exploiting the vulnerability.

Remediation

Users can upgrade to Google Sign-In version 1.3.0, where this vulnerability has been fixed. If upgrading is not possible, the session cookie's SameSite attribute should be set to Lax or Strict.