Wednesday, December 17, 2014

Blatant CSRF in Doorkeeper, most popular OAuth2 gem

I read a post about CSRF on DigitalOcean (in Russian) by Sergey Belove. My first reaction was, obviously, how come? DigitalOcean is not kind of a team that would have lame "skip_before_action :verify_authenticity_token".

DigitalOcean uses Doorkeeper, the most popular OAuth Provider library for rails apps and it manages clients, tokens, scopes and validations out of box.
Then I looked into Doorkeeper's commit history... it turns out Doorkeeper's endpoints never had CSRF protection, because they inherit directly from ActionController::Base, not ApplicationController.

Which means any HTML page on the Internet can get your access_token with arbitrary scope (such as "email", "dialogs" or "withdraw_money") from any Doorkeeper-compatible Rails app you are logged in. Example:

<form action="" method="POST">
  <input name="client_id" value="EVIL_APP_ID" />
  <input name="redirect_uri" value="http://CALLBACK" />
  <input name="scope" value="ANY SCOPE" />

This is a big deal. You must upgrade Doorkeeper NOW.

P.S. It's funny that Sergey is not a Rails developer so he simply tried to send a request without authenticity_token. Frankly, I wouldn't try that - Rails has built-in CSRF protection everywhere, why even bother? That's why.

P.S 2 It's a bit disappointing neither DigitalOcean nor Doorkeeper (Applicake?) team did announce such a severe vulnerability, so I do it for them.


  1. Thanks again for the research Egor!

    1. I have nothing to do with this - it's Sergey who found it. He just didn't realize at first what a big bug he spotted.

    2. Big thanks to Sergey for reporting it responsibly! Just to be clear, this was fixed on DigitalOcean. One of our engineers reported and fix this in upstream Doorkeeper as well.

      The info for contacting our security team can be found here:

  2. maybe bold/highlight/spotlight "This is a big deal. You must upgrade Doorkeeper NOW." ?

  3. In which version of Doorkeeper was this actually fixed?

  4. I haven't checked, but as per Andrew above 'upstream' would be the 'master' branch. It'll get tagged in the latest release, if it hasn't already been done. Check changelog.

  5. Thanks Egor for post ;)
    Can confirm that it fixed now -

  6. Looks like it was assigned a CVE