Ory Hydra consent flow vulnerability: arbitrary logo injection enables cookie exfiltration and clickjacking

A security research disclosure identifies multiple hardening gaps in Ory Hydra's consent and device authorization flows that, if exploited, could expose user credentials and enable UI-based attacks.

The most actionable issue involves the consent page template at `consent.html`, which renders a logo specified by the OAuth client's registration without validating the URL scheme or origin. A malicious client can supply an attacker-controlled URI, causing the user's browser to issue requests to a third-party domain. This leaks the victim's IP address, User-Agent, and session cookies to the adversary. The unvalidated image tag also permits UI-redressing attacks, where the attacker overlays invisible elements to trick users into interacting with the malicious page.

A second finding concerns the device verification form at `device_verify.html`, which submits via the HTTP GET method. User codes append directly to the URL, exposing them to server-side access logs, browser history, and the Referer header chain. Project maintainers note that device flow endpoints currently return HTTP 501 Not Implemented and are not exposed in active deployments. The issue is flagged as a future-hardening concern rather than an immediate, exploitable flaw.

A third gap involves error page rendering in `internal/oauth/consent.go`. The `RenderErrorPage` function sets only the Content-Type header, omitting `X-Frame-Options` or Content-Security-Policy directives. Error pages are therefore frameable, creating clickjacking risk where attackers embed them inside opaque overlays on malicious sites.

All three findings target the open-source Ory Hydra OAuth2 server, a widely deployed authorization framework. Maintainers have been notified; patch timelines have not yet been confirmed.