lunary-ai/lunary Improper Authentication in Google OAuth Integration Leading to Account Takeover

A vulnerability allowing account takeover has been identified in lunary-ai/lunary version 1.9.34. The issue arises from improper authentication in the Google OAuth integration, where the application fails to verify the 'aud' (audience) field in the access token issued by Google. This oversight allows attackers to use tokens from malicious applications to gain unauthorized access to user accounts. The vulnerability is present in the POST API endpoint '/auth/google', where the access token is processed without the necessary audience validation.

Impact

Exploitation of this vulnerability allows attackers to hijack user accounts by using Google OAuth tokens from malicious apps, bypassing authentication and gaining unauthorized access to user accounts on the lunary web application.

Reproduction

To reproduce this vulnerability, register a Google OAuth application and obtain an access token by tricking a victim into authorizing it. Then, send a POST request to the '/auth/google' endpoint with the access token. The application will process the token without verifying its audience, logging the attacker into the victim's account.

Remediation

Users can update to lunary-ai/lunary version 1.9.35, where this vulnerability has been fixed.