Hello!
This is my first time in this group and I am new to Keycloak administration so I apologize in advance if this is a silly question.
I’ve come across and possible security access vulnerability where you can change a user’s attribute with the own token credential but as far as I can tell the user is not allowed to change their own attributes when they log on to the console as themselves.
Here are the steps I took to recreate this issue:
1 . Instantiate a keycloak server with image 7.0.1 (I’ve been told this works on the newest version as well)
2 . Go to clients and create a new openid-connect client (test-client). The configuration of the newly created client is set to default i.e. Standard Flow Enabled: true, Direct Access Grants Enabled: true, Access Type: public
3 . Go to users and create a new user (test) with password ‘1234’
4 . use the above created client to obtain a token for the above user
token=$(curl --noproxy ‘*’ -k -d “client_id=test-client” -d “username=test” -d “password=1234” -d “grant_type=password” -d “client_secret=” “https://localhost:8443/auth/realms/master/protocol/openid-connect/token” | jq .“access_token” | tr -d ‘"’)
5 . Use above token for user test and change his user attributes with below command
curl --noproxy ‘*’ -X POST -k -H “Authorization: Bearer ${token}” -H “Content-Type: application/json” -d ‘{“attributes”: {“a1”:[“1”],“a2”:[“2”],“a3”: [“3”],“a4”:[“4”]}}’ https://localhost:8443/auth/realms/master/account/
This is done when “account_api – Account Management REST API” and “account2 – New Account Management Console” are disabled as they are by default.
Doing the above steps 1-5 this might have some security impact, since in the user attributes the administrator might have configured sensitive information and the user should not alter those.
Moreover, ldap federated users have in the attributes section sensitive information such as userId, HomeDirectory,LoginShell etc.
So, a malicious user can explore this and change his userID and therefore pretend to be someone else.
I would appreciate any advice on where this issue might be coming from, or if it even is an issue I could just be mistaken.