Python Social Auth Email Association Vulnerability Leading to Account Compromise

A vulnerability exists in Python Social Auth's social authentication mechanism, specifically in versions prior to 5.6.0. The issue arises when a user is authenticated via a third-party service that does not validate or require unique email addresses. In such cases, the user can be associated with an existing account by email, even if the 'associate_by_email' pipeline is not enabled. This flaw can lead to unauthorized access to accounts, including those of administrators. The vulnerability is linked to a threading fix that inadvertently allowed this association to occur without proper verification.

Impact

Exploitation of this vulnerability could result in unauthorized access to user accounts, including superuser accounts, by associating a social login with an existing account that shares the same email address.

Reproduction

To reproduce this vulnerability, create a user account with a verified email address using a social authentication provider that does not validate emails. Then, log in with a different social account that uses the same email. The login will succeed, and the accounts will be merged, granting access to the original account's privileges.

Remediation

Users can update to Python Social Auth version 5.6.0 or later, where this vulnerability has been patched. Additionally, review the email association policies of the social authentication services in use.