Protect Your ZITADEL Account from Password Reset Attacks

CVECVE-2023-49097
CVSScvssV3_1: 8.1
SourceCVE-2023-49097

ZITADEL is an identity management system that allows users to reset their passwords if they forget it. However, a vulnerability was found that could allow hackers to take over accounts.

The issue is that ZITADEL builds the password reset link in emails by using information from the “Forwarded” or “X-Forwarded-Host” headers. Hackers can modify these headers to trick users into clicking a link that goes to a malicious site instead of the actual ZITADEL site.

Once on the fake site, the hackers could steal the secret code sent in the email before the user sees it. They would then use this code to reset the password without the user’s knowledge or consent.

Luckily, accounts with multi-factor authentication (MFA) or passwordless login enabled cannot be compromised through this method. The good news is that ZITADEL has released updates to fix this vulnerability in recent versions.

To protect yourself, make sure to update your ZITADEL installation to the latest version. You should also enable MFA on your account if possible for an extra layer of security when resetting or changing sensitive information like your password. Finally, be cautious of any password reset links in emails and always verify you are on the real ZITADEL site before entering any codes or credentials. Staying vigilant is the best way to avoid falling victim to attacks like this.

References