Buildbot OAuth Authentication Vulnerability
The exploit of the day today is a Vulnerability affecting the popular Continuous integration tool buildbot .
The Vulnerability was found and reported by Phillip Kuhrt and affects the Oauth authentication feature used in buildbot.
This makes third parties able to authenticate as a legitimate user.
The vulnerability is officially described as the following:
If an attacker has an application authorized to access data of another user at the same Identity Provider as the used by the Buildbot instance, then he can acquire a token to access the data of that user, supply the token to the Buildbot instance and successfully login as the victim.
If you are using Oauth in any of your applications we recommend that you verify the implementation of it.
A better validation of tokens has been implemented in the commit 8dd63f494af50ce58b0a8d79ad7eff2b25ca3460