MyTube Passkey Registration Vulnerability Allows Unauthenticated Admin Access

A vulnerability in MyTube, a self-hosted video downloader and player, prior to version 1.8.71, allows an unauthenticated attacker to register a passkey and gain full administrative access. The application exposes passkey registration endpoints without requiring authentication. Once a passkey is registered, it is automatically granted an admin token, enabling complete compromise of the application. This vulnerability arises from the lack of authentication on critical passkey management endpoints, including registration and verification.

Impact

Exploitation of this vulnerability allows any unauthenticated user to gain administrative privileges, with the ability to access and modify all application data, including reading and replacing the entire database. This access could also lock out legitimate administrators.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/settings/passkeys/register' endpoint without authentication. After successfully registering a passkey, use the '/api/settings/passkeys/authenticate' endpoint to log in with the registered passkey, which will grant an admin token. This token can then be used to access admin-only features, such as the database export endpoint.

Remediation

Users are advised to update to MyTube version 1.8.71 or later, where this vulnerability has been fixed.