CVE-2024-8883 - Keycloak Misconfiguration Lets Attackers Steal Login Tokens with Open Redirects

Keycloak is a popular tool for single sign-on (SSO) and identity management, powering login systems for many organizations. But in early 2024, a new misconfiguration security issue, now tracked as CVE-2024-8883, came to light. This bug can open the door to attackers, letting them hijack user sessions through a simple but dangerous mistake.

In this long-read, let’s break down what this vulnerability is, how it works, see a code snippet for exploitation, and what you need to do to stay safe.

What is CVE-2024-8883?

Keycloak lets you specify a list of "Valid Redirect URIs" for each client app. After a user logs in, Keycloak only redirects the browser to URIs on this pre-approved list, to prevent attackers from sneaking in malicious URLs.

The problem: Many admins set "Valid Redirect URIs" like http://localhost or http://127...1—assuming this is always safe. It’s not.

If an attacker can trick a user into logging in via a browser on a machine where they control a localhost service, the attacker can receive the code grant or even tokens, stealing the user's account session.

The Flow of the Attack

1. Misconfigured Keycloak: Admin adds http://localhost or http://127...1 to the allowed redirect URIs.
2. Attacker Tricks the User: The attacker sets up a malicious app or web page that opens a login request to Keycloak, setting the redirect_uri to http://localhost:808/callback?cb=<attackercb>.
3. User Authenticates: User logs into Keycloak, and Keycloak redirects browser to http://localhost:808/callback with an authorization code as a URL parameter.
4. Attacker Listens Locally: On the user’s machine, attacker runs a service listening on port 808 and grabs the code.
5. Session Hijacking: The attacker exchanges the stolen code for tokens, taking control of the victim's session.

Suppose a Keycloak client is set up with this "Valid Redirect URI"

http://localhost:808/*

The attacker tells the victim to run the following Python script (maybe as part of a test or diagnostic):

# attacker_server.py
import http.server

PORT = 808

class Handler(http.server.BaseHTTPRequestHandler):
    def do_GET(self):
        if "/callback" in self.path:
            print("Received callback: ", self.path)
            # Save the code or send it to attacker's server
        self.send_response(200)
        self.end_headers()
        self.wfile.write(b'OK')

if __name__ == "__main__":
    print(f"Listening on http://localhost:{PORT}/callback...")
    http.server.HTTPServer(("", PORT), Handler).serve_forever()

Meanwhile, the attacker triggers a login flow with redirect_uri set to http://localhost:808/callback. When the authentication completes, the Authorization Code lands at the attacker's script on the user's own machine:

http://localhost:808/callback?code=xxxxxxxxxx

The attacker can then use this code to exchange for tokens, impersonating the user.

Real-World Danger: Why Is This Bad?

localhost and 127...1 are not as safe as many think. If an attacker can convince a user to run software that listens locally or hijack a port, they can catch sensitive tokens for any site using Keycloak. Even local apps, browser extensions, or misconfigured proxies can open up this kind of attack.

Session Hijacking: The attacker finishes the authentication and steals the victim's access.

- Data Exposure: APIs, files, or cloud resources controlled by the user's identity are now at risk.
- Persistence: Attackers could use refresh tokens for ongoing access, even after the initial compromise.

How Do You Fix It?

Never set "Valid Redirect URI" to localhost or 127...1 in a production or shared environment. Here’s what you should do:

- Use public, trustworthy domains (e.g., https://app.example.com/callback) for valid redirects.

Review and update all client "Valid Redirect URIs" in your Keycloak admin interface.

- See Keycloak Security Best Practices for official tips.

References and Further Reading

- CVE Details: CVE-2024-8883
- Keycloak Docs: Redirect URIs
- RFC 8252: OAuth 2. for Native Apps
- Original Commit/Discussion

Final Thoughts

CVE-2024-8883 isn’t a code bug in Keycloak—it’s a dangerous configuration issue that can fly under the radar. If you’re using Keycloak (or any SSO provider), you need to audit your redirect URIs now.

Don’t trust localhost. Don’t trust 127...1. The next hacker who does might not be so friendly.

*Stay secure! Share this with your admin team and review your settings today.*

Timeline

Published on: 09/19/2024 15:48:28 UTC
Last modified on: 11/26/2024 19:08:51 UTC