Impact
A malicious user can sign in as a user with any IndieAuth identifier. This is because the implementation does not verify that the final "me" URL value returned by the authorization server belongs to the same domain as the initial value entered by the user.
Patches
Version 1.1 fixes this issue.
Workarounds
There is no workaround. Upgrade to 1.1 immediately.
References
For more information
If you have any questions or comments about this advisory:
Impact
A malicious user can sign in as a user with any IndieAuth identifier. This is because the implementation does not verify that the final
"me"URL value returned by the authorization server belongs to the same domain as the initial value entered by the user.Patches
Version 1.1 fixes this issue.
Workarounds
There is no workaround. Upgrade to 1.1 immediately.
References
For more information
If you have any questions or comments about this advisory: