Re: CVE request: RubyGem omniauth-facebook access token security vulnerability

[Josef Šimánek <josef.simanek () gmail com>]

Sorry for bumping, but is there any problem with this CVE request?

Fix is here (https://github.com/mkdynamic/omniauth-facebook/commit/115c0a768cd6f4b9bfae8900f8e3fc4fbeec3ad8)
and release is prepared. We're waiting for CVE only.

regards
Josef

2013/11/15 Josef Šimánek <josef.simanek () gmail com>:
> # RubyGem omniauth-facebook access token security vulnerability
>
> There is a security vulnerability in the omniauth-facebook <= 1.5.0.
>
>     Versions affected: <= 1.5.0
>     Fixed versions:    >= 1.5.1
>
> ## Impact
>
> Because omniauth-facebook <= 1.5.0 supports passing an access token
> directly in the URL, an attacker may be able to authenticate as
> another user by passing a valid access token obtained from Facebook
> for another app.
>
> If you're currently using this feature, and passing the access token
> directly, you should change your integration to use one of the secure
> methods using either a signed request or the code flow. These secure
> methods are default, so unless you are explicitly passing an access
> token you should not need to make any integration changes to upgrade
> to 1.5.1.
>
> All users running an affected release should upgrade to >= 1.5.1.
>
> ## Releases
>
> The 1.5.1 releases is available at the normal locations.
>
> ## Workarounds
>
> None.
>
> ## Credits
>
> Egor Homakov (@homakov)