Auth0’s identity-as-a-service have been found to have a critical authentication bypass vulnerability that allows a hacker to access any application or portal that uses Auth0 service for authentication.
Auth0 helps you with authentication and authorization for a number of platforms including the potential to integrate social media authentication into an application.
Auth0 being one of the biggest identity platform have more than 2000 enterprise customers and manages over42 million logins daily and an estimate of billions of logins per month.
The researchers from security firm Cinta Infinita discovered a flaw (CVE-2018-6873) in Auth0’s Legacy Lock API during pentesting an application in September 2017. This flaw is due to improper validation of the JSON Web Tokens (JWT) audience parameter. They have successfully utilized this issue to bypass login authentication using a simple cross-site request forgery (CSRF/XSRF) attack against the applications running over Auth0 authentication.
Another vulnerability of Auth0’s namely CSRF vulnerability (CVE-2018-6874) allows an attacker to reuse a valid signed JWT generated for a separate account to access the targeted victim’s account. The hacker just has to know the victim’s user ID or email address which is not a difficult thing to acquire.
The researchers mention that the attack is reproducible against many organisations without the need of social engineering. Authentication for applications that use an email address or an incremental integer for user identification would be easily bypassed.
The security firm has reported the vulnerability to the Auth0 Security Team in October 2017 and the company was very fast in taking action in less than 4 hours.
But since the the vulnerable SDK and supported libraries of Auth0 were implemented on the client side, it took almost six months to contact each of their customers and to fix this vulnerability.
The Auth0 team has made it clear that this issue could not be solved easily without forcing their customers to upgrade the libraries/SDKs on their end which is a more significant undertaking.
The company has diminished the vulnerabilities by rewriting the affected libraries and releasing new versions of its SDKs (auth0.js 9 and Lock 11).
The security firm has now released a proof-of-concept (PoC) video, that demonstrates how the hackers obtained the victim’s user id and bypass password authentication when logging into Auth0’s Management Dashboard by forging an authentication token.