https://harpi.cc/tags/account-takeover/Recent content in Account-Takeover on harpi - Security ResearcherHugoen-usMon, 06 Apr 2026 16:04:01 +0300https://harpi.cc/blog/cves/django-allauth/django-allauth-account-takeover/Wed, 25 Dec 2024 00:00:00 +0000https://harpi.cc/blog/cves/django-allauth/django-allauth-account-takeover/<blockquote> <p><em>&ldquo;There&rsquo;s always a side door.&rdquo;</em></p></blockquote> <h2 id="overview">Overview</h2> <p>I discovered an account takeover vulnerability in <a href="https://github.com/pennersr/django-allauth">django-allauth</a>, one of the most widely-used authentication libraries for Django. The vulnerability allows an attacker to impersonate arbitrary users by exploiting how certain OAuth providers&rsquo; identifiers are resolved.</p> <h2 id="vulnerability-details">Vulnerability Details</h2> <p><strong>CVE:</strong> CVE-2025-65431 <strong>Type:</strong> Improper Authentication / Account Takeover (CWE-287) <strong>Impact:</strong> Account Impersonation <strong>Affected Versions:</strong> django-allauth &lt; 65.13.0</p> <h3 id="the-bug">The Bug</h3> <p>Both the Okta and NetIQ providers were using <code>preferred_username</code> as the identifier for third-party provider accounts. This value is <strong>mutable</strong> — users can change their <code>preferred_username</code> on the identity provider side.</p>