ID service Dex patches token-stealing bug

The popular OpenID Connect-based (OIDC) identity service Dex has a critical vulnerability that lets attackers steal tokens and get access to client applications.

A project of the Cloud Native Computing Foundation, Dex provides an identity layer on top of OAuth 2.0 to provide identity services for app developers, and it claims millions of downloads.

According to the developers’ notification, the bug affects “Dex instances with public clients (and by extension, clients accepting tokens issued by those Dex instances)”.

If an attacker takes a victim to a malicious website and guides them through the OIDC flow, they can steal the OAuth authorisation code, and exchanging this for a token gives the attacker access to applications that accept that token.

The bug exists because the authentication process creates a persistent “connector state parameter” as the request ID to look up the OAuth code.

“Once the user has successfully authenticated, if the webserver is able to call /approval before the victim’s browser calls /approval, then an attacker can fetch the Dex OAuth code which can be exchanged for an ID token using the /token endpoint,” the advisory stated.

The bug is designated CVE-2022-39222.

A fix has been implemented in Dex 2.35.0, by using message authentication to make the server request unpredictable.