Listen to this Post
Mattermost fails to clear Google OAuth credentials when converting a user account to a bot account, exposing authentication tokens. This occurs because the OAuth session data remains active post-conversion, allowing attackers to hijack the bot account via the Google OAuth signup flow. The vulnerability affects versions 10.7.0-rc1 to 10.7.0, 10.6.0-rc1 to 10.6.2, 10.5.0-rc1 to 10.5.3, and 9.11.0-rc1 to 9.11.12. When a user is converted to a bot, their OAuth session persists, enabling unauthorized access if an attacker intercepts or reuses the credentials.
DailyCVE Form:
Platform: Mattermost
Version: 9.11.0-10.7.0
Vulnerability: OAuth credential leak
Severity: Moderate
Date: May 30, 2025
Prediction: Patch by June 15, 2025
What Undercode Say:
Exploitation:
1. Attacker monitors OAuth signup flow.
2. Targets bot-converted accounts.
3. Reuses leaked OAuth tokens.
Protection:
1. Upgrade to patched versions.
2. Revoke OAuth tokens post-conversion.
3. Audit bot account permissions.
Analytics:
- Impact: Account takeover risk.
- Attack Vector: Session hijacking.
- Mitigation: Immediate patching.
Commands:
Check Mattermost version curl -X GET http://<mattermost-server>/api/v4/system/ping Revoke OAuth tokens (PostgreSQL) UPDATE OAuthAccessData SET Token='' WHERE UserId='<bot-user-id>';
Code:
Detect vulnerable instances
import requests
def check_vulnerability(url):
response = requests.get(f"{url}/api/v4/config")
version = response.json().get("Version")
vulnerable_versions = ["10.7.0", "10.6.2", "10.5.3", "9.11.12"]
return version in vulnerable_versions
Remediation Steps:
1. Apply Mattermost patches.
2. Force OAuth token rotation.
3. Monitor bot account activity.
Log Analysis:
grep "OAuth token reuse" /var/log/mattermost.log
Expected Patch:
- Mattermost 10.7.1, 10.6.3, 10.5.4, 9.11.13.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
