Horizon Alert
Summary of the vulnerability and why it matters
This advisory concerns a vulnerability in Rocket.Chat, an open-source communications platform, that could allow attackers to take over user accounts by forging authentication tokens. The issue arises when the platform handles login requests from Apple's OAuth service, specifically when an email address is not provided. This could potentially impact any organization using Rocket.Chat for internal or external communications, with the primary concern being to confirm if the platform is in use and if it is exposed to external networks.
- Compromises user accounts via forged login data.
- Matters for organizations using Rocket.Chat.
- Confirm usage and external exposure.
Attack Path
How an attacker could exploit the issue
An attacker could exploit this vulnerability by crafting a fraudulent Apple JWT that omits an email address. When Rocket.Chat's login handler processes this forged token, it may accept an arbitrary email provided by the attacker, potentially leading to account takeover.
- Publicly accessible login endpoint.
- Forged Apple JWT without email.
- Account takeover risk.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability could allow an unauthenticated attacker to take over user accounts. When a user attempts to log in using Apple's OAuth service, the system may not properly validate the user's email address if it's not present in the provided token. This could enable an attacker to forge a token without an email and register an account with an arbitrary email address, effectively hijacking legitimate accounts.
- User account access.
- Forged tokens bypassing email validation.
- Unauthorized account access and control.
Operational Fix
Recommended remediation, mitigation, and detection steps
Real-world ownership for this vulnerability likely falls to the platform or application team managing Rocket.Chat, with support from the security team for exposure analysis and the vendor-management team if using a managed service. The immediate practical step is to identify all Rocket.Chat instances, determine their reachability and criticality, and locate the accountable owner to initiate remediation planning based on risk.
- Platform or application team owns the issue.
- Verify public-facing instances and reachability.
- Plan remediation based on identified risk.