Hello all,

We just released a change (patches are attached to this email) for a security vulnerability with our third party authentication (TPA). See the email attachments for a patch for the current release and for Maple release.

Without this patch, it is possible to redirect user to an evil site after user has logged in via third party auth like Facebook, Google etc.

While we had code in place to generate redirect urls that are safe, we were not accounting for change directly to those urls from browsers or maliciously generated login links i.e Sign in - Google Accounts. Our fix ensures that redirect urls are whitelisted when user exits the TPA pipeline making it possible to redirect only to safe urls.

We advise you to patch your instances as soon as possible. The patch has been applied and merged into the respective branches.

If you have any questions, feel free to reach out to me.

Thanks,
Zainab Amir
edX Activate Squad

P.S. Patch is attached in gzip form to prevent Google Groups from modifying the patch’s line endings.
maple_open_redirect_vulnerability.patch.gz (1.7 KB)
master_open_redirect_vulnerability.patch.gz (1.7 KB)