Supabase Auth Apple and Azure Provider Session Issuance Vulnerability

A vulnerability in Supabase Auth versions prior to 2.185.0 allows attackers to issue sessions for arbitrary users by exploiting the Apple or Azure authentication providers. This is achieved by sending specially crafted ID tokens from an attacker-controlled issuer to the Supabase Auth token endpoint. If the ID token is compliant with OpenID Connect (OIDC), the Auth server validates it and links the OIDC identity of the victim to the attacker's, resulting in the issuance of valid user session tokens. The vulnerability requires an Auth server with Apple or Azure providers enabled, an OIDC-compliant ID token issuer controlled by the attacker, and access to email addresses associated with user records on the Auth server.

Impact

Exploitation of this vulnerability allows for unauthorized session creation, granting attackers access to user accounts with valid access and refresh tokens at the AAL1 level.

Reproduction

To reproduce this vulnerability, an attacker must first obtain or create a valid, asymmetrically signed ID token from an OIDC-compliant issuer they control, targeting the email address of a user on the Supabase Auth server. This ID token must be crafted to comply with OIDC standards and include the necessary claims to be accepted by the Supabase Auth server. Once the ID token is prepared, it can be sent to the Supabase Auth token endpoint using the ID token flow, specifying either 'apple' or 'azure' as the provider, depending on the target authentication service. If the ID token is accepted, the Auth server will link the identities and issue a session for the user.

Remediation

Users are advised to update to Supabase Auth version 2.185.0 or later. For self-hosted deployments, it is recommended to establish a process for regular updates and to avoid exposing the Auth server directly to the internet. Instead, place it behind a reverse proxy that is kept up-to-date.