A person's Gigya UID isn't intended to be secret information; it should be useless if you don't know a site's secret Gigya key. This module, however, allows you to log in as a Drupal user if you know only their Gigya UID. (You can not authenticate as that user's Gigya identity but you WILL get logged in as the Drupal user). This only pertains to users that use social provider for their authentication; it does not work for users that use Drupal for authentication.

I've attached a basic patch to remedy the issue.

CommentFileSizeAuthor
gigya.patch677 bytesazinck

Comments

Gigya’s picture

Status: Active » Needs work

azinck,

Thank you for bringing this to our attenation, we will work on adding the fix to our beta9 release, which should be available in a few weeks.

Itamar

azinck’s picture

This is now a much more urgent issue since you're using the user's drupal user ID as their Gigya ID! You can easily log in as the super user (UID = 1) on any site with this module installed!

No one should use this module in its current state.

Gigya’s picture

Thanks for giving us the heads-up on this. we are working on fixing it now and will release and updated version without this security vulnerability asap.

Gigya’s picture

Status: Needs work » Fixed

Fixed in beta9.

Gigya’s picture

Fixed in beta9

Thanks a lot !!!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.