{"id":6239,"date":"2018-04-09T16:06:08","date_gmt":"2018-04-09T20:06:08","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=6239"},"modified":"2020-12-15T10:47:55","modified_gmt":"2020-12-15T15:47:55","slug":"auth0-identity-platform-security-alert-authentication-bypass-vulnerability-found","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/auth0-identity-platform-security-alert-authentication-bypass-vulnerability-found\/","title":{"rendered":"Auth0 Identity Security Alert: Authentication Bypass Vulnerability found"},"content":{"rendered":"<h2>Researchers from Cinta Infinita found the Auth0 Bypass Vulnerability<\/h2>\n<p>Researchers have found a critical authentication bypass vulnerability in the indentity-as-a-service platform, Auth0. The vulnerability could have allowed attackers to access any portal or application gated by the Auth0 service.<\/p>\n<p>\u201cThe described vulnerability would allow malicious users to run cross-company attacks, allowing them to access any portal \/ application protected with Auth0 with minimum knowledge,\u201d <a href=\"https:\/\/medium.com\/@cintainfinita\/knocking-down-the-big-door-8e2177f76ea5\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">wrote Cinta Infinita on Medium<\/a>. \u201cThe only thing a malicious user needed to perform the attack was administrative access to any Auth0 account and, since registration is free, this requirement could be trivially fulfilled.\u201d<span id=\"newline\"><\/span><\/p>\n<h2>What is Auth0<\/h2>\n<p>Auth0 is an identity-as-a-service authentication platform that offers token-based authentication solutions across myriad platforms, including social media. Auth0 boasts over 2,000 enterprise clients and manages over 42-million logins every day \u2013 totaling billions each month \u2013 making it one of the largest identity authentication platforms on the internet.<\/p>\n<p>Auth0 is essentially 0Auth 2.0. 0Auth is an open source standard for access delegation that grants users access across websites or applications without the use of passwords. 0Auth began in 2006 as the brainchild of a group of developers looking to use OpenID with the Twitter and Ma.gnolia APIs. In April of 2007 a working group officially began drafting a formal specification, which was finished in December of that year. 0Auth 2.0 was released in 2012. Currently 0Auth 2.0 is supported by the likes of Google, Facebook and Microsoft.<\/p>\n<h2>The Auth0 Bypass Vulnerability<\/h2>\n<p>Back in September of 2017, Cinta Infinita researchers were performing penetration testing on an application when they discovered an authentication bypass vulnerability (CVE-2018-6873). The flaw was discovered in Auth0\u2019s Legacy Lock API as a result of improper validation of the JSON Web Token (JWT) audience parameter.<\/p>\n<p>The researchers were able to bypass login authentication with the use of cross-site request forgeries. The vulnerability allows attackers to reuse a valid signed JWT that was generated for another account to gain access to a victim\u2019s account. To pull off this exploit all an attacker would need is a user ID or email address, which is extremely easy to procure.<\/p>\n<p>Per Cinta Infinita, the attack is easily reproducible and could be used against plenty of organizations:<\/p>\n<p>&#8220;As long as we know the expected fields and values for the JWT. There is no need of social engineering in most of the cases we saw. Authentication for applications that use an email address or an incremental integer for user identification would be trivially bypassed.&#8221;<\/p>\n<p>For what it\u2019s worth, whoever documented this exploit for Cinta Infinita either just learned the word \u201ctrivially\u201d or he owns stock in the word, because it gets used a lot. Back to the matter at hand though, Cinta Infinita notified the Auth0 team last October, and to their credit a fix was released in four hours.<\/p>\n<p>The speed with which the patch was released was undermined by the slow notification process that took place. Because the vulnerable SDK and its supported libraries are a client-side implementation, it took Auth0 six months to notify its customers and assist them with the fix.<\/p>\n<h2>Should I be concerned?<\/h2>\n<p>By all accounts, both Auth0\u2019s and Cinta Infinita\u2019s, this vulnerability has been fixed. Auth0 extensively rewrote the affect libraries and released two new versions of its SDK. For its part, Cinta Infinita waited six months to disclose the vulnerability, which gave Auth0 the time it needed to correct things.<\/p>\n<p>This is how <a href=\"https:\/\/www.thesslstore.com\/blog\/responsible-disclosure-windows\/\">responsible disclosure<\/a> is supposed to work.<\/p>\n<p>If you\u2019re interested, Cinta Infinita provided a Proof of Concept that can be seen in the video below.<\/p>\n<p><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/9E7kfdGN1eY\" width=\"560\" height=\"315\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\"><span data-mce-type=\"bookmark\" style=\"display: inline-block; width: 0px; overflow: hidden; line-height: 0;\" class=\"mce_SELRES_start\">\ufeff<\/span><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers from Cinta Infinita found the Auth0 Bypass Vulnerability Researchers have found a critical authentication bypass vulnerability in the indentity-as-a-service platform, Auth0. The vulnerability could have allowed attackers to access&#8230;<\/p>\n","protected":false},"author":6,"featured_media":6240,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[330],"class_list":["post-6239","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-authentication","post-with-tags"],"views":12141,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/04\/bigstock-219352996.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/6239","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=6239"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/6239\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/6240"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=6239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=6239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=6239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}