GitHub/SUPA SSO Account Merge Identity Poisoning via Controlled Email (GHSA-wq6d)

Vulnerability Overview Vulnerability Name: User-controlled can poison SSO account merge and attach victim SSO identity to attacker account Vulnerability ID: GHSA-wq6d-ffwf-gqww Severity: High CVE ID: No known CVE Weakness: CWE-639 Reporter: Judel777 Scope of Impact Affected Versions: <12.128.12 Fixed Version: 12.128.12 Impact Description: An authenticated user can change their to an arbitrary email address. The SSO configuration process subsequently trusts the mutable profile email as an account merge key. This allows an attacker to pre-position their account with the victim company's SSO email address. When the legitimate victim logs in via SSO, can resolve the attacker's row as the canonical pre-existing account, merging the attacker-controlled account ID into the victim's SSO organization, transferring the victim's SSO identity, and removing the duplicate SSO user. Remediation Recommended Fixes: 1. Do not use the mutable as an identity merge key. 2. During SSO merging, resolve existing accounts from instead of . 3. Merge only when the target account's equals the SSO email claim. 4. Add RLS (Row Level Security) WITH CHECK or triggers to prevent users from changing to a value different from . 5. Consider making read-only and synchronizing it only from trusted metadata. 6. Consider adding a unique lowercase canonical email constraint if must represent the identity email. POC Code Full Exploit Chain 1. The attacker has a normal, authenticated Capgo account. 2. The attacker updates their to . 3. has an active SSO provider within Capgo. 4. The real victim logs in via SSO. 5. Capgo creates or uses the SSO-authenticated user as the victim. 6. receives the victim's trusted SSO email claim. 7. The configuration code searches for by email. 8. The backend resolves its mutable , where the service role lookup resolves the attacker's ID. 9. The backend merges the attacker-controlled account ID into the SSO organization and transfers the victim's SSO identity. 10. The duplicate SSO user is deleted. Impact This allows a regular authenticated user to pre-position their account for merging with another email address during future SSO logins. Depending on session behavior and SSO enforcement, the impact may include: Unauthorized membership in the victim's SSO organization Transfer of the victim's SSO identity to an attacker-controlled account Account merge corruption Potential persistent access to the victim's tenant as the merged user Deletion of legitimate SSO users created during configuration This is more severe than a typical profile issue because the mutable field is later consumed by the service role's identity merge path. This does not appear to be intended behavior. Profile editing may be expected, but using a mutable profile email as an identity merge key is insecure. Trusted identity emails should come from or validated SSO assertions, not from the attacker-controlled . Strongest False Positive Consideration I did not complete a live victim SSO merge against another real tenant or user. The confirmed live primitive is [Link]. I believe the reason this is exploitable is that the SSO configuration code uses the service role to resolve .

Goal Reached Thanks to every supporter — we hit 100%!

GitHub/SUPA SSO Account Merge Identity Poisoning via Controlled Email (GHSA-wq6d)

More from this source