Horizon Alert
Summary of the vulnerability and why it matters
This advisory concerns a critical vulnerability in Rocket.Chat, an open-source communication platform. An unauthenticated attacker can exploit this flaw to gain unauthorized access to user accounts, potentially including administrative privileges, by manipulating authentication requests. This could allow for broad access to sensitive information and system control.
- Access tokens can be stolen without authentication.
- It impacts core user and admin access controls.
- Confirm relevance and assess exposure to internal systems.
Attack Path
How an attacker could exploit the issue
An unauthenticated attacker on the network can obtain a valid Rocket.Chat OAuth access token for any user by sending a crafted HTTP POST request to the `/oauth/token` endpoint. This allows the attacker to impersonate users and gain access to their API functionalities. If the impersonated user is an administrator, the attacker can achieve full administrative control, including executing arbitrary code on the server.
- No account or credentials required.
- Exploits OAuth token endpoint.
- Leads to arbitrary code execution.
Live Threat
Current exploitation, exposure, and threat context
An unauthenticated attacker could gain access to user accounts and sensitive information within Rocket.Chat by exploiting a flaw in the OAuth token generation process. This occurs when the system improperly handles parameters, allowing the attacker to craft requests that yield valid access tokens for arbitrary users, including administrators.
- User access tokens and refresh tokens.
- Sending crafted HTTP POST requests to /oauth/token.
- Unauthorized access to user data and admin functions.
Operational Fix
Recommended remediation, mitigation, and detection steps
This critical vulnerability in Rocket.Chat's OAuth token endpoint requires immediate attention from platform and security teams. The first practical step is to identify all Rocket.Chat instances, confirm their external reachability and business criticality, and then determine the accountable owner for remediation.
- Platform and security teams own this issue.
- Verify external reachability of OAuth endpoints.
- Plan coordinated updates during maintenance.