Basecamp Google Sign-In Open Redirect Vulnerability in Rails Applications

A vulnerability in the Basecamp Google Sign-In gem for Rails applications, prior to version 1.3.1, allows for open redirects. If the 'proceed_to' value in the session store is set to a protocol-relative URL, the callback controller will improperly validate the origin, enabling redirection to another site. This could potentially expose authentication information if combined with other attacks that alter OAuth2 request parameters. The issue arises because the 'proceed_to' value can be manipulated from a malicious site, creating a risk of unauthorized redirection after authentication.

Impact

Exploitation of this vulnerability could lead to unauthorized redirection of users to malicious sites, potentially allowing for the interception of authentication information, especially if used in conjunction with other attacks that can modify OAuth2 request parameters.

Reproduction

The vulnerability can be reproduced by setting the 'proceed_to' parameter with a protocol-relative URL, such as 'http://www.example.com @ evil.example.org/login', during the authorization request. After the redirection, the callback can be processed, which will then redirect to the specified URL, bypassing the same-origin policy.

Remediation

Users can update to version 1.3.1 of the google_sign_in gem, which addresses this vulnerability by ensuring that protocol-relative URLs are properly validated before allowing redirection.