Reviactyl OAuth Account Takeover Vulnerability via Automatic Email-Based Account Linking
Vulnerability
A critical vulnerability has been identified in Reviactyl, an open-source game server management panel, versions 26.2.0-beta.1 prior to 26.2.0-beta.5. The issue arises in the OAuth authentication process, where social accounts could be automatically linked to user accounts based solely on matching email addresses. This flaw allowed attackers to create or control social accounts on platforms like Google, GitHub, or Discord, using a victim's email address. Consequently, attackers could gain full access to the victim's account without needing to know their password, leading to a complete account takeover. The vulnerability has been patched in version 26.2.0-beta.5.
Impact
Exploitation of this vulnerability allowed for unauthorized access to user accounts, enabling attackers to take over accounts without prior authentication.
Remediation
Users should upgrade to Reviactyl version 26.2.0-beta.5 or later. As a temporary measure, OAuth login providers can be disabled to reduce exposure until the update is applied.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.