RubySec

Providing security resources for the Ruby community

CVE-2013-4593 (omniauth-facebook): omniauth-facebook Gem for Ruby Insecure Access Token Handling Authentication Bypass

ADVISORIES

GEM

omniauth-facebook

SEVERITY

CVSS v2: 6.8

PATCHED VERSIONS

  • >= 1.5.1

DESCRIPTION

omniauth-facebook Gem for Ruby contains a flaw that is due to the application supporting passing the access token via the URL. This may allow a remote attacker to bypass authentication and authenticate as another user.