JupyterLab Users Beware: Clickjacking Vulnerability Exposes Tokens

CVSScvssV3_1: 7.6

JupyterLab is a popular open-source web application used for interactive data science and scientific computing. Security researchers recently discovered a clickjacking vulnerability in older versions of JupyterLab that could allow malicious actors to steal users’ authentication tokens.

The vulnerability affects JupyterLab versions prior to 4.1.0b2, 4.0.11, and 3.6.7 and stems from how the application handles redirects. When a user clicks a malicious link, their `Authorization` and `XSRFToken` tokens could get exposed to the attacker due to improper validation of redirect URLs. These tokens can then be used to impersonate the user and access their JupyterLab workspace without their consent.

Attackers could exploit this vulnerability by crafting malicious links that trick users into clicking them, such as embedding the link in a fake notification or advertisement. Once clicked, the redirect would steal the user’s tokens without them realizing. This is known as a “clickjacking” attack since it relies on clicking in order to steal sensitive data.

The good news is that this issue has been addressed in the latest versions of JupyterLab. All users are strongly recommended to upgrade to JupyterLab 4.1.0b2 or later to protect themselves. Users should also be cautious of unsolicited links in general and only click links they were expecting from trusted sources. With some simple precautions, JupyterLab users can help defend themselves against this and other clickjacking attempts.