- February 9, 2025
- Posted by: Bikash Sharma
- Category: Awareness, Case Study
Uncovering a Critical Authentication Vulnerability in Qwen AI
Introduction
At Cynical Technology, we are committed to making the digital world a safer place. As part of our continuous cybersecurity research, we recently uncovered a critical authentication vulnerability in Qwen AI—an issue that could allow attackers to bypass email verification and gain unauthorized access to accounts. This flaw in the OAuth authentication process posed a significant security risk, enabling malicious actors to take over unregistered email accounts effortlessly.
In today’s digital landscape, almost every online application, including Qwen AI, offers users the convenience of signing up or logging in through third-party authentication providers like Google and Facebook. OAuth, the protocol behind this seamless authentication process, is designed to securely authorize users without requiring them to manually enter their credentials. Instead, the application retrieves essential user details—such as email, name, and profile picture—directly from the OAuth provider.
However, improper implementation of OAuth can introduce serious security risks. While analyzing Qwen AI’s authentication process, we discovered that it failed to properly verify email ownership on the server side. This misconfiguration allowed us to manipulate the email parameter in the authentication request, effectively bypassing the verification process and gaining access to any email account—whether registered or not. Such vulnerabilities, if left unpatched, can lead to account takeovers, identity fraud, and phishing attacks.
Qwen AI, like many other platforms, implemented this OAuth-based sign-in method, allowing users to log in with their Google accounts. The intended workflow was straightforward:
- A user clicks “Sign in with Google.”
- Google verifies the user’s identity and sends the necessary account details (email, name, and profile picture) back to Qwen AI.
- Qwen AI then creates an account or logs in the user based on the provided email.
Qwen AI also integrated OAuth authentication, enabling users to log in with Google credentials. Ideally, after signing in via Google, the application should verify the returned email address on the server-side before granting access. However, during our security assessment, we discovered a critical misconfiguration in Qwen AI’s OAuth flow that completely bypasses email verification.
Instead of securely validating the email from Google’s authentication response, Qwen AI trusted the email parameter in the client-side request. This meant that a user’s email was not being validated on the server but was accepted directly from the URL parameters. This flaw allowed us to modify the email in the request, effectively gaining unauthorized access to any unregistered email account.
For example, the authentication flow included a URL like this:
Upon closer inspection, we realized we could manipulate the email parameter and replace it with any unregistered email address, such as:
To our surprise, Qwen AI directly logged us in as the user associated with this email, without verifying whether the email actually belonged to us.
By simply modifying the email parameter in the URL, we were able to trick the system into believing we were logging in with any email address, even one that had never been registered. No actual verification was performed. This misconfiguration led to a dangerous scenario where anyone could bypass email verification, register any email address, and gain unauthorized access.
This meant that an attacker could claim any email address and gain unauthorized access without ever needing to verify ownership.
Here’s a proof-of-concept (PoC) video demonstrating the vulnerability.
- User initiates OAuth login – When a user chooses to sign in with Google, Qwen AI fetches their email, name, and profile picture from Google’s authentication response.
- Application fails to verify email ownership – Instead of verifying whether the email belongs to the authenticated Google user, the application simply trusts the email parameter passed in the URL.
- Direct account creation without verification – If the email is changed in the URL before the redirection is completed, Qwen AI registers a new account with that email and grants access, bypassing the verification process.
- Potential account takeover – Since the application does not enforce email verification, an attacker could claim any unregistered email and create an account in their name, leading to impersonation, phishing, and potential data breaches.
We responsibly reported this vulnerability to the Alibaba security team. After a thorough investigation, the team implemented the necessary fixes to secure the OAuth authentication process and prevent unauthorized account access. With this patch in place, Qwen AI now properly verifies email ownership, ensuring that users can no longer bypass the verification process. We appreciate Alibaba’s swift response in addressing this issue and enhancing the platform’s security.
Impact of the Vulnerability
This misconfiguration leads to multiple security threats, including:
1. Account Takeover: Attackers can claim any unregistered email and gain full access to an account without ever verifying ownership.
2. Phishing & Social Engineering Attacks: Malicious actors can impersonate well-known individuals or organizations by registering their email addresses, increasing the effectiveness of phishing campaigns.
3. Identity Theft & Fraud: Since Qwen AI allows users to set a display name during the signup process, attackers can create fake profiles that look legitimate.
4. GDPR & Compliance Risks: This vulnerability violates standard security and privacy regulations, potentially exposing Qwen AI to legal and compliance issues.
Conclusion
This case highlights how a small misconfiguration in OAuth authentication can lead to serious security risks. At Cynical Technology, we are dedicated to uncovering and reporting vulnerabilities to help organizations enhance their security posture.
Authentication is the first line of defense for user accounts, and even minor misconfigurations can have catastrophic consequences. This vulnerability serves as a reminder that security must always be built-in, not bolted on. We encourage companies to rigorously test their authentication flows, conduct regular security audits, and follow best practices in implementing OAuth and identity management.
If you are an organization looking to secure your applications against similar threats, contact us for a security audit and let’s work together to build a safer cyber ecosystem.
🔒 Stay secure, stay informed!