CVE-2020-26254

omniauth-apple is the OmniAuth strategy for "Sign In with Apple" (RubyGem omniauth-apple). In omniauth-apple before version 1.0.1 attackers can fake their email address during authentication. This vulnerability impacts applications using the omniauth-apple strategy of OmniAuth and using the info.email field of OmniAuth's Auth Hash Schema for any kind of identification. The value of this field may be set to any value of the attacker's choice including email addresses of other users. Applications not using info.email for identification but are instead using the uid field are not impacted in the same manner. Note, these applications may still be negatively affected if the value of info.email is being used for other purposes. Applications using affected versions of omniauth-apple are advised to upgrade to omniauth-apple version 1.0.1 or later.

omniauth-apple is the OmniAuth strategy for "Sign In with Apple" (RubyGem omniauth-apple). In omniauth-apple before version 1.0.1 attackers can fake their email address during authentication. This vulnerability impacts applications using the omniauth-apple strategy of OmniAuth and using the info.email field of OmniAuth's Auth Hash Schema for any kind of identification. The value of this field may be set to any value of the attacker's choice including email addresses of other users. Applications not using info.email for identification but are instead using the uid field are not impacted in the same manner. Note, these applications may still be negatively affected if the value of info.email is being used for other purposes. Applications using affected versions of omniauth-apple are advised to upgrade to omniauth-apple version 1.0.1 or later.

### Impact This vulnerability impacts applications using the [omniauth-apple](https://github.com/nhosoya/omniauth-apple) strategy of OmniAuth and using the `info.email` field of OmniAuth's [Auth Hash Schema](https://github.com/omniauth/omniauth/wiki/Auth-Hash-Schema) for any kind of identification. The value of this field may be set to any value of the attacker's choice including email addresses of other users. For example, an application using omniauth-apple with the following code will be impacted: ```ruby def omniauth_callback auth_hash = request.env['omniauth.auth'] @authenticated_user = User.find_by(email: auth_hash.info.email) end ``` Applications not using `info.email` for identification but are instead using the `uid` field are not impacted in the same manner. Note, these applications may still be negatively affected if the value of `info.email` is being used for other purposes. ### Patches Applications using affected versions of omniauth-apple are advised to upgrade to omniauth-apple version 1.0.1 or later. ### Workarounds If unable to upgrade to a patched version, monkey patching `OmniAuth::Strategies::Apple#email` as follows is advised as a workaround: ```ruby module OmniAuth module Strategies class Apple def email id_info['email'] end end end end ```

### Impact This vulnerability impacts applications using the [omniauth-apple](https://github.com/nhosoya/omniauth-apple) strategy of OmniAuth and using the `info.email` field of OmniAuth's [Auth Hash Schema](https://github.com/omniauth/omniauth/wiki/Auth-Hash-Schema) for any kind of identification. The value of this field may be set to any value of the attacker's choice including email addresses of other users. For example, an application using omniauth-apple with the following code will be impacted: ```ruby def omniauth_callback auth_hash = request.env['omniauth.auth'] @authenticated_user = User.find_by(email: auth_hash.info.email) end ``` Applications not using `info.email` for identification but are instead using the `uid` field are not impacted in the same manner. Note, these applications may still be negatively affected if the value of `info.email` is being used for other purposes. ### Patches Applications using affected versions of omniauth-apple are advised to upgrade to omniauth-apple version 1.0.1 or later. ### Workarounds If unable to upgrade to a patched version, monkey patching `OmniAuth::Strategies::Apple#email` as follows is advised as a workaround: ```ruby module OmniAuth module Strategies class Apple def email id_info['email'] end end end end ```

omniauth-apple es la estrategia de OmniAuth para "Sign In with Apple" (RubyGem omniauth-apple). En omniauth-apple anterior a versión 1.0.1, los atacantes pueden falsificar su dirección de correo electrónico durante la autenticación. Esta vulnerabilidad afecta a las aplicaciones que usan la estrategia omniauth-apple de OmniAuth y el campo info.email del Auth Hash Schema de OmniAuth para cualquier tipo de identificación. El valor de este campo puede ser establecido en cualquier valor que elija el atacante, incluyendo las direcciones de correo electrónico de otros usuarios. Las aplicaciones que no usan info.email para la identificación, sino que en su lugar usan el campo uid, no están afectadas de la misma manera. Tome en cuenta que estas aplicaciones aún pueden estar afectadas negativamente si el valor de info.email se utiliza para otros fines. Se recomienda a las aplicaciones que utilizan versiones afectadas de omniauth-apple que se actualicen a omniauth-apple versión 1.0