Security Advisory: OAuth Account Takeover via allowDangerousEmailAccountLinking
Security Advisory: OAuth Account Takeover via allowDangerousEmailAccountLinking
Severity: Critical
Version fixed: v1.0.35
Affected versions: All versions prior to v1.0.35
Affected file: src/platform/auth/providers.ts
Affected providers: Google, GitHub, Microsoft, Okta
Summary
A critical account takeover vulnerability was identified and remediated in v1.0.35. All four OAuth providers were configured with allowDangerousEmailAccountLinking: true, a setting that allows any OAuth identity sharing an email address to be automatically linked to an existing account — without requiring the account holder's knowledge or consent.
For a platform handling HMRC Making Tax Digital submissions and National Insurance Numbers, this represented an unacceptable risk of unauthorised account access and data exposure.
Vulnerability Details
Root Cause
The following configuration was present for all four OAuth providers in src/platform/auth/providers.ts:
// ❌ VULNERABLE — removed in v1.0.35
{
allowDangerousEmailAccountLinking: true
}
This option instructs the authentication library to automatically link an incoming OAuth login to any existing account that shares the same email address, regardless of whether the existing account owner initiated or authorised the link.
Attack Scenario
- A victim has an existing account registered with
victim@example.com. - An attacker creates or controls an OAuth provider account (e.g. a GitHub account) using
victim@example.com. - The attacker initiates an OAuth login to the platform using that provider account.
- Because
allowDangerousEmailAccountLinking: truewas set, the platform silently links the attacker's OAuth identity to the victim's account and issues a valid session. - The attacker now has full access to the victim's account, including tax records, property transactions, National Insurance Number, and HMRC submission credentials.
Impact
- Full account takeover without any user interaction or notification.
- Unauthorised access to HMRC Making Tax Digital submissions.
- Exposure of National Insurance Numbers and linked financial data.
- Unauthorised access to AgentOS property transaction imports.
- Potential for fraudulent tax submissions to HMRC on behalf of a victim.
Remediation
What Changed
allowDangerousEmailAccountLinking: true has been removed from all four provider configurations:
// ✅ FIXED in v1.0.35
// Google, GitHub, Microsoft, Okta providers
// allowDangerousEmailAccountLinking removed — no longer present
Secure Account Linking Model
Additional OAuth providers can now only be linked to an existing account when the user is already authenticated. This means:
- A logged-in user may voluntarily link a new OAuth provider via Account Settings.
- An unauthenticated OAuth login will not automatically merge with an existing email-matched account.
- If an email address is already registered, the user must log in via their original method first before linking a new provider.
This ensures account linking is always explicit, consent-based, and cannot be triggered by a third party.
Recommended User Actions
- Update immediately. Upgrade to v1.0.35 or later.
- Review linked OAuth providers. Navigate to Account Settings → Linked Accounts and revoke any provider connections you do not recognise.
- Check recent login activity. If your account shows login events you did not initiate, treat your account as potentially compromised — change your credentials and contact support.
- National Insurance Number exposure. If you believe your account was accessed without authorisation, consider notifying HMRC and reviewing your recent MTD submission history for any unexpected entries.
Timeline
| Date | Event |
|---|---|
| Identified | allowDangerousEmailAccountLinking: true found across all four OAuth providers |
| Fixed | v1.0.35 released with the setting removed and secure linking flow enforced |
References
- NextAuth.js —
allowDangerousEmailAccountLinkingdocumentation - HMRC Making Tax Digital API
- Internal:
src/platform/auth/providers.ts