This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/GreatRoxy on 2025-01-16 21:19:27+00:00.

Hello,

I just wanted to let you know about something serious I came across. While using zipline, I found a big security issue with the OAuth2 setup (specifically with Google), and it’s super important to update right away to keep your accounts safe.

Vulnerability Details:

• Affected Versions: Anything past v3.6.0, including v3.7.10.
• Impact: An issue in the OAuth2 fallback logic allowed account hijacking. If two Google accounts share the same username prefix (e.g., [email protected] and [email protected]), they could end up pointing to the same account in Zipline. This means someone could easily access another user’s data.
• Affected Features:
  • Users who enabled the following settings are especially vulnerable:

        FEATURES_OAUTH_LOGIN_ONLY=true
        OAUTH_BYPASS_LOCAL_LOGIN=true

These settings, which should increase security by disabling password logins, unfortunately weakened security in this case due to the OAuth fallback logic issue.

What You Should Do:

• Update Immediately: Upgrade to the latest version of Zipline (v3.7.11 or higher) to ensure your accounts are secure.
• If You’re Not Using OAuth2: You’re safe, but still consider updating for other improvements.

My Experience:

I discovered this issue and reported it to the Zipline team via their GitHub repository. I’m happy to say that the developer quickly acknowledged the problem and implemented a fix in record time. The latest release (v3.7.11) resolves the issue, so it’s critical for users to update immediately.

It’s quite surprising that such a critical issue existed. The fallback logic essentially bypassed a key security mechanism, leaving users’ data at risk.

For those interested, you can view the updated code that addresses this issue here: GitHub Commit Fix