• Security risk: Medium critical
  • Vulnerability: Hijacking Local Accounts


If a user creates a local account, then tries to log in with a third-party account (for example, Facebook, Twitter, Google, etc.) that uses the same email address, then the local account gets hijacked and taken over by the third-party account.

Reported by

GitHub account jamesjjk

Versions affected

loopback-component-passport 1.6.0 and earlier.


Version 2.0.0 of loopback-component-passport fixes this issue.

Ensure that your application’s package.json has the following line:

"dependencies": {
   "loopback-component-passport": "^1.6.0",

Then upgrade your project dependencies to use the latest version :

$ cd <app-root>
$ npm update