Missing Origin Validation in OAuth Callback (Login CSRF) #1071
Description
In loginWithRocketChatOAuth.ts, the OAuth callback is handled using a postMessage event listener. The listener processes incoming messages based only on the message payload and does not validate the origin of the message.
This allows any external website to send a crafted postMessage to the application and force a login using attacker-controlled credentials. This is a classic Login CSRF / Session Fixation vulnerability.
Root Cause
The message event listener blindly trusts all incoming messages with type: "rc-oauth-callback" without checking event.origin.
Vulnerable Code
const onMessage = async (e: MessageEvent) => {
if (e.data.type === "rc-oauth-callback") {
// No validation of e.origin
const { accessToken, serviceName } = e.data.credentials;
// Proceeds to authenticate user
}
};
window.addEventListener("message", onMessage);Because event.origin is not validated, messages from any domain are accepted.
Impact
An attacker can:
- Inject OAuth credentials from a malicious site
- Force the victim to log in as the attacker
- Perform session fixation or login CSRF attacks
This can happen if:
- The application is open in another tab
- The OAuth popup is open
- The app is embedded in an iframe
Steps to Reproduce
- User clicks Login with Rocket.Chat, starting the OAuth flow.
- The application registers a
messageevent listener. - An attacker-controlled site executes the following code:
window.postMessage({
type: "rc-oauth-callback",
credentials: {
accessToken: "ATTACKER_TOKEN",
serviceName: "conf"
}
}, "*");- The application accepts the message and attempts to authenticate using the attacker’s token.
Evidence
Logical proof using a simulated attacker origin:
Simulating message from origin: http://evil-attacker.com
[RC Auth] Processing callback from origin: http://evil-attacker.com
Vulnerability confirmed: message accepted from untrusted origin
The callback is processed even though the message originates from a malicious domain.