Scalingo has proactively identified and resolved a vulnerability in the GitHub Single Sign-On (SSO) implementation on auth.scalingo.com.

No exploitation of this vulnerability has been detected in the wild.

The vulnerability was detected during our ongoing bug bounty program, which underscores our commitment to security through continuous testing and improvement. This issue could lead to a potential account takeover attack due to a missing parameter validation in the GitHub SSO authentication flow.

We advise customers to check their SCM link configuration settings (https://dashboard.scalingo.com/account/integrations), and to always be cautious to any link that is sent to them by untrusted third-parties.

Incident Analysis

On 29/07/2024, a security researcher in our private bug bounty program reported a critical vulnerability (CVSS score of 9.3).

The vulnerability arises from a lack of validation of the state parameter in the GitHub SSO callback process. An attacker could exploit this by sending a crafted URL to a victim, causing the victim’s account to link with the attacker’s GitHub account, thereby granting the attacker full access to the victim’s Scalingo account.

The prerequisites are:

• the victim must not have linked previously their Scalingo account to a GitHub account.
• the victim must be logged into their Scalingo account
• the victim must open a crafted URL in their browser

The severity of the report triggered a prompt analysis from our team the next day.

After a thorough analysis, we adjusted the CVSS score to 8.9 (high) due to the specific prerequisites required for exploitation. Our investigation traced the vulnerability to a code change made six years ago, during a period prior to our ISO 27001 and HDS certifications.

At the same time, we began analyzing our database, and quickly decided to inform our users, by cautiously selecting the people where the GitHub email address differs from the Scalingo account email address (or people where the GitHub email address is empty).

Remediation: what we did

We have implemented a fix that ensures the state parameter is properly validated during the SSO callback, preventing unauthorized account access.

We did not find any misconfiguration in the Gitlab connector.

Impact

This vulnerability, if exploited, could allow an attacker to gain unauthorized access to a user’s Scalingo account, potentially leading to data exposure and service manipulation. We have not found evidence that this vulnerability has been exploited in the wild.

Incident Response

Timeline

What you should do

All users are advised to ensure their accounts are secure by reviewing any unexpected changes in their account settings (https://dashboard.scalingo.com/account/integrations). For users whose GitHub account email differs from their Scalingo account email, we have contacted you individually to verify account integrity.

What we will do in the future

• We will thoroughly review the code related to authentication via third-parties in our infrastructure
• We will continue our private bug bounty program on our critical infrastructure components
• We will maintain our internal commitment to code review and high security and architecture standards

Product Impacts

Scalingo PaaS

Successful exploitation could lead to leak of credentials to external or internal data sources potentially including Personally Identifiable Information (access to databases, external APIs…)

Only accounts not already linked to a GitHub account, where an attacker has crafted a malicious URL and a victim has opened the link may have been compromised.

However, no evidence of exploitation has been found.

Scalingo DBaaS addons

Database addons credentials could be leaked by a successful exploitation of the vulnerability, but again, no evidence of actual exploitation.

Other Scalingo addons and services

No impact

Contact

If you have any questions or require further assistance, please contact our support team. We remain committed to ensuring the security of our platform and the protection of our users’ data.

Changelog

2024-08-05 First version 2024-08-20 Release