Nhost OAuth Email Verification Bypass Vulnerability Leading to Account Takeover

A vulnerability in Nhost's OAuth handling allows attackers to link unverified email addresses to existing accounts, leading to unauthorized access. This issue arises because certain OAuth providers, including Discord, Bitbucket, and Microsoft services, do not properly verify email ownership before marking them as confirmed. As a result, an attacker can manipulate the system to gain access to a victim's account without their knowledge.

Impact

Exploitation of this vulnerability allows for full account takeover on Nhost, including access to any linked services or data. In applications with administrative privileges, this could lead to more severe consequences, such as unauthorized changes to application settings or user roles.

Reproduction

To reproduce this vulnerability, an attacker can change the email address on their Discord account to that of a victim's Nhost account, leaving it unverified. When they log into the Nhost application using Discord OAuth, the Nhost adapter will incorrectly mark the email as verified, allowing them to link their Discord account to the victim's Nhost account and gain access.

Remediation

Users can update to Nhost version 0.49.1 or later, where this vulnerability has been fixed.