Researchers from Cinta Infinita found the Auth0 Bypass Vulnerability
Researchers have found a critical authentication bypass vulnerability in the indentity-as-a-service platform, Auth0. The vulnerability could have allowed attackers to access any portal or application gated by the Auth0 service.
“The described vulnerability would allow malicious users to run cross-company attacks, allowing them to access any portal / application protected with Auth0 with minimum knowledge,” wrote Cinta Infinita on Medium. “The only thing a malicious user needed to perform the attack was administrative access to any Auth0 account and, since registration is free, this requirement could be trivially fulfilled.”
What is Auth0
Auth0 is an identity-as-a-service authentication platform that offers token-based authentication solutions across myriad platforms, including social media. Auth0 boasts over 2,000 enterprise clients and manages over 42-million logins every day – totaling billions each month – making it one of the largest identity authentication platforms on the internet.
Auth0 is essentially 0Auth 2.0. 0Auth is an open source standard for access delegation that grants users access across websites or applications without the use of passwords. 0Auth began in 2006 as the brainchild of a group of developers looking to use OpenID with the Twitter and Ma.gnolia APIs. In April of 2007 a working group officially began drafting a formal specification, which was finished in December of that year. 0Auth 2.0 was released in 2012. Currently 0Auth 2.0 is supported by the likes of Google, Facebook and Microsoft.
The Auth0 Bypass Vulnerability
Back in September of 2017, Cinta Infinita researchers were performing penetration testing on an application when they discovered an authentication bypass vulnerability (CVE-2018-6873). The flaw was discovered in Auth0’s Legacy Lock API as a result of improper validation of the JSON Web Token (JWT) audience parameter.
The researchers were able to bypass login authentication with the use of cross-site request forgeries. The vulnerability allows attackers to reuse a valid signed JWT that was generated for another account to gain access to a victim’s account. To pull off this exploit all an attacker would need is a user ID or email address, which is extremely easy to procure.
Per Cinta Infinita, the attack is easily reproducible and could be used against plenty of organizations:
“As long as we know the expected fields and values for the JWT. There is no need of social engineering in most of the cases we saw. Authentication for applications that use an email address or an incremental integer for user identification would be trivially bypassed.”
For what it’s worth, whoever documented this exploit for Cinta Infinita either just learned the word “trivially” or he owns stock in the word, because it gets used a lot. Back to the matter at hand though, Cinta Infinita notified the Auth0 team last October, and to their credit a fix was released in four hours.
The speed with which the patch was released was undermined by the slow notification process that took place. Because the vulnerable SDK and its supported libraries are a client-side implementation, it took Auth0 six months to notify its customers and assist them with the fix.
Should I be concerned?
By all accounts, both Auth0’s and Cinta Infinita’s, this vulnerability has been fixed. Auth0 extensively rewrote the affect libraries and released two new versions of its SDK. For its part, Cinta Infinita waited six months to disclose the vulnerability, which gave Auth0 the time it needed to correct things.
This is how responsible disclosure is supposed to work.
If you’re interested, Cinta Infinita provided a Proof of Concept that can be seen in the video below.