gematik Authenticator
Authentication Flow Hijack
A malicious authenticator:// deep link can point the gematik Authenticator at an attacker-controlled identity provider, capturing the victim's smartcard-signed authentication assertion and, via relay, completing login to Telematikinfrastruktur services in the victim's name.
Description
The gematik Authenticator registers as the handler for the authenticator:// custom URI scheme and accepts a challenge_path parameter that names the Identity Provider (IDP) for an OpenID Connect login. No allowlist restricts which host may act as the IDP, so a crafted deep link can point the Authenticator at an attacker-controlled server. The link can be delivered through a web page, an email, or a QR code.
The parameter is checked only for URL shape, not for domain. Any http/https URL is accepted:
Challenge path validation accepts any HTTP(S) URL
export async function validateChallengePath(challengePath: string) { if (!COMMON_USED_REGEXES.URL.test(challengePath)) { /* throw */ }}
// constants.tsURL: /(http|https):\/\/(\w+:?\w*@)?(\S+)(:\d+)?(\/|\/([\w#!:.?+=&%@!\-/]))?/,The Authenticator fetches the OpenID Connect discovery document from that host and decodes it with jsonwebtoken.decode(), which performs no signature verification:
Discovery document accepted without signature verification
const res = await window.api.httpGet( context.state.idpHost + IDP_ENDPOINTS.OPENID_CONFIGURATION, { /* ... */ });context.commit('setOpenIdConfiguration', jsonwebtoken.decode(res.data));jsonwebtoken.decode() only base64-decodes the token; the library's own documentation warns it must not be used for untrusted messages. The attacker's unsigned document (alg: none) is accepted, and its authorization_endpoint and uri_puk_idp_enc fields are used as-is. The Authenticator then encrypts the smartcard-signed assertion with the attacker's public key and POSTs it to the attacker's endpoint:
Signed assertion POSTed to the attacker-controlled endpoint
const payload = 'signed_challenge=' + state.jweChallenge;const url = context.state.openIdConfiguration.authorization_endpoint;const response = await window.api.httpPost(url, payload, { /* ... */ });The POSTed JWE wraps a JWS holding the card's X.509 AUT certificate (x5c header) and the smartcard signature. Because the attacker owns the encryption key, they decrypt it and recover the signed assertion; this credential capture is demonstrated end-to-end against the mock environment. The challenge JWT carries no environmental binding (no cnf claim, source IP, or TLS session identifier), so the captured assertion can in turn be relayed to the real IDP to complete login as the victim — assessed from the specification and the reference IDP implementation, not tested against production infrastructure.
IDP certificate pinning was present in v4.4.1 but removed in v4.12.0 in favour of the OS trust store, so the attacker's host only needs an ordinary publicly-trusted TLS certificate (for example, Let's Encrypt). The smartcard's private key never leaves the card; the weakness is that the Authenticator does not authenticate the IDP it talks to.
Impact
- An attacker captures the victim's signed authentication assertion, including their X.509 AUT certificate and the smartcard signature, with no privileges, no malware, and no compromise of the Konnektor or smartcard.
- Because the challenge carries no session binding, the assertion can be relayed to the real IDP to complete login as the victim, yielding access tokens issued in their name for Telematikinfrastruktur services such as the ePA, E-Rezept, and insurance data.
- The victim sees only a normal-looking authentication prompt. The flow can be triggered from a web page, an email link, a QR code, or any local process that invokes the protocol handler.
Mitigation
Update to v4.16.0 or later. The durable fixes are: restrict challenge_path to an allowlist of known gematik IDP hosts; verify the discovery document and challenge with jsonwebtoken.verify() against the IDP's pinned signing key rather than decode(); restore IDP TLS certificate pinning and validate that discovery-document endpoints stay on the allowlisted host; and adopt DPoP (RFC 9449) so the challenge is bound to a per-session key that an attacker relaying the smartcard signature cannot reproduce.
Defender's Checklist
Confirm the deployed version
Ensure every workstation runs gematik Authenticator v4.16.0 or later; earlier builds, including the production App Store v4.15.3, are affected.
Treat authenticator:// links as untrusted
Authentication should be started from the local primary system, never from a link in an email, a web page, or a QR code.
Watch for unexpected IDP hosts
Where proxy logs are available, alert on Authenticator IDP traffic to hosts outside the known gematik Telematikinfrastruktur domains.
Severity Reasoning
Severity matches the vendor's GHSA score (CVSS 9.3).
References
How We Can Help
Who We Are
The security researchers behind this advisory.
Dr. rer. nat. Simon Weber
Senior Pentester & MedSec Researcher
I evaluate your SaMD with the same industry-defining security insight I contributed to the BAK MV for the revision of the B3S standard.
- PhD on Hospital Cybersecurity
- Critical vulnerabilities found in hospital systems
- Alumni of THB MedSec Research Group
- gematik Security Hero
Dipl.-Inf. Volker Schönefeld
Senior Application Security Expert
As a former CTO and developer turned pentester, I work alongside your team to uncover vulnerabilities and find solutions that fit your architecture.
- 20+ years as CTO, 50M+ app downloads
- Architected and secured large-scale IoT fleets
- Certified Web Exploitation Specialist
- gematik Security Hero
Looking for a Penetration Test?
Machine Spirits specializes in security assessments for medical devices and healthcare IT. From MDR penetration testing to C5 cloud compliance, we help MedTech companies meet regulatory requirements.