Can you explain this vulnerability to me?

This vulnerability occurs in the go-pkgz/auth library's Patreon OAuth provider, where every authenticated Patreon account is incorrectly mapped to the same local user ID instead of a unique ID derived from the actual Patreon account. This happens because the code hashes an uninitialized field rather than the correct Patreon user ID from the API response. As a result, all Patreon-authenticated users are collapsed into a single local identity.

This flaw allows unrelated Patreon users to be merged into one account within an application, leading to cross-account access, privilege confusion, and subscription-state leakage.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The vulnerability can have severe impacts including unauthorized access and impersonation between Patreon-authenticated users of an application. Since all Patreon users are assigned the same local user ID, one user could access another user's data or privileges, causing privacy breaches and security risks.

This can lead to cross-account access, privilege confusion, and leakage of subscription or user state information, potentially compromising the confidentiality and integrity of user data.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the Patreon OAuth provider in the go-pkgz/auth library assigning the same local user ID to every authenticated Patreon account due to hashing an uninitialized field instead of the actual Patreon user ID.

To detect this vulnerability on your system, you should check the version of the go-pkgz/auth library in use. Versions from 1.18.0 up to before 1.25.2 and 2.0.0 up to before 2.1.2 are vulnerable.

You can also monitor authentication logs for suspicious behavior where multiple Patreon users are mapped to the same local user ID, indicating the user ID collision.

Suggested commands to detect the vulnerable version or behavior include:

• Check the version of go-pkgz/auth in your project dependencies, for example using Go modules: `go list -m all | grep go-pkgz/auth`
• Search your codebase for the Patreon provider usage and verify if it uses a fixed version: `grep -r 'patreon' ./`
• Inspect logs for repeated identical local user IDs for different Patreon users, which may require custom log queries depending on your logging system.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to upgrade the go-pkgz/auth library to a fixed version where the vulnerability is patched.

• Upgrade to version 1.25.2 or later if you are using the v1.x series.
• Upgrade to version 2.1.2 or later if you are using the v2.x series.

These versions include the fix that correctly hashes the Patreon numeric account ID, preventing user ID collisions.

Additionally, review your authentication logic to ensure it does not trust token.User.ID as a stable account key without validation.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability causes all Patreon-authenticated users to be mapped to the same local user ID, leading to cross-account access, privilege confusion, and subscription-state leakage.

Such unauthorized access and data leakage could result in violations of data protection regulations like GDPR and HIPAA, which require strict controls on user identity, access segregation, and confidentiality of personal data.

By collapsing multiple users into a single identity, the application risks exposing personal or sensitive information to unauthorized users, undermining compliance with standards that mandate user data isolation and secure authentication.

Useful 0 Not Useful 0