Khoj IDOR Vulnerability in Notion OAuth Callback Allows Integration Hijacking

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in the Notion OAuth callback of Khoj, a self-hostable AI application. This vulnerability, present in versions prior to 2.0.0-beta.23, allows an attacker to hijack a user's Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID without verifying if the OAuth flow was initiated by that user. As a result, attackers can replace the victims' Notion configurations with their own, leading to data poisoning and unauthorized access to the victims' Khoj search index. Exploitation requires knowledge of the user's UUID, which can be obtained from shared conversations containing AI-generated images.

Impact

Exploitation of this vulnerability deletes the targeted user's existing Notion synchronization and replaces it with one controlled by the attacker. This could lead to unauthorized modifications of the user's Notion data and potential poisoning of the Khoj search index with manipulated information.

Reproduction

To reproduce this vulnerability, first, obtain the UUID of a target user from a conversation that includes an AI-generated image. Then, initiate the Notion synchronization process on your own account. Intercept the OAuth callback and replace the state parameter with the victim's UUID. Once the callback is processed, the victim's Notion configuration will be replaced with yours, allowing access to their Khoj search index.

Remediation

Users can update to Khoj version 2.0.0-beta.23 or later, where this vulnerability has been fixed.