This is an automated archive made by the Lemmit Bot.
The original was posted on /r/selfhosted by /u/GreatRoxy on 2025-01-16 21:19:27+00:00.
Hello,
I just wanted to let you know about something serious I came across. While using zipline, I found a big security issue with the OAuth2 setup (specifically with Google), and it’s super important to update right away to keep your accounts safe.
Vulnerability Details:
- Affected Versions: Anything past v3.6.0, including v3.7.10.
- Impact: An issue in the OAuth2 fallback logic allowed account hijacking. If two Google accounts share the same username prefix (e.g.,
[email protected] and [email protected]), they could end up pointing to the same account in Zipline. This means someone could easily access another user’s data.
- Affected Features:
- Users who enabled the following settings are especially vulnerable:
FEATURES_OAUTH_LOGIN_ONLY=true
OAUTH_BYPASS_LOCAL_LOGIN=true
These settings, which should increase security by disabling password logins, unfortunately weakened security in this case due to the OAuth fallback logic issue.
What You Should Do:
- Update Immediately: Upgrade to the latest version of Zipline (v3.7.11 or higher) to ensure your accounts are secure.
- If You’re Not Using OAuth2: You’re safe, but still consider updating for other improvements.
My Experience:
I discovered this issue and reported it to the Zipline team via their GitHub repository. I’m happy to say that the developer quickly acknowledged the problem and implemented a fix in record time. The latest release (v3.7.11) resolves the issue, so it’s critical for users to update immediately.
It’s quite surprising that such a critical issue existed. The fallback logic essentially bypassed a key security mechanism, leaving users' data at risk.
For those interested, you can view the updated code that addresses this issue here: GitHub Commit Fix