A critical authentication bypass flaw in Rocket.Chat’s Apple OAuth integration allows attackers to forge identity tokens and hijack user accounts.

The handleIdentityToken function improperly validates Apple-issued JWTs during the login process. If an email parameter is missing from the token, the system incorrectly falls back to accepting an arbitrary email provided by the request, allowing an unauthenticated attacker to impersonate any user.

This vulnerability carries a CVSS score of 9.3, representing a critical risk to organizational communication security. Successful exploitation grants attackers unauthorized access to private corporate communications, potentially leading to massive data breaches, intellectual property theft, and the impersonation of high-level personnel.

Immediate Action: Update Rocket.Chat to the latest patched version (8.5.1 or relevant series-specific patch) immediately.

Proactive Monitoring: Review authentication and session logs for spikes in login activity or successful authentications involving unrecognized email patterns.

Compensating Controls: Temporarily disable the Apple OAuth login provider if the update cannot be applied immediately to prevent exploitation.

Public Exploit Available: No

Authentication bypass vulnerabilities are high-priority targets for attackers due to the ease of exploitation and the depth of access gained. Organizations must expedite the patching process to secure their communication platform and maintain the confidentiality of internal messaging.