Authentication bypass vulnerability found in Auth0 identity platform

A critical authentication bypass vulnerability for one of the biggest identity-as-a-service platforms Auth0 was recently revealed. The vulnerability, detected by security firm Cinta Infinita in September 2017, could allow an attacker access to any account on the platform by performing a cross-site request forgery attack. While patching endeavors took several months they now appear mostly complete.

What is Auth0

Auth0 offers a token-based authentication solution for a number of platforms, including over 2000 enterprise customers and 42 million logins every day. The ability to integrate social media authentication within an application is one of the many solutions provided by the company.

Discovery and application of the vulnerability

In September 2017 researchers from security firm Cinta Infinita discovered a flaw in the Legacy Lock API used by Auth0 during a pentest of an application using the service. The vulnerability, dubbed CVE-2018-6873, relies on faulty validation of the JSON Web Tokens (JWT) audience parameter.

Through a simple cross-site request forgery the researchers were able to exploit the vulnerability, dubbed CVE-2018-6874, bypassing login authentication of any applications using Auth0 authentication. The exploitation allowed for the researchers to re-use the JWT of a separate account to gain access to a victim account.

In order for the vulnerability to work an attacker would need to know the victim’s user ID or email address. However these details would be near trivial to acquire through social engineering or guesswork. A proof of concept video of the exploit was also released by Cinta Infinita. The video clearly demonstrates the potential of the vulnerability and how it was performed. It can be seen below.

Remediation

Cinta Infinita gave Auth0 six months to remediate the issue before releasing it to the public. The company was quick to address the weakness in their SDK and libraries. However, applying the patches ended up being a 6 month endeavor. This was the result of contacting each customer using the vulnerable code. “We waited for six months before publicly disclosing this issue so that Auth0 could update all their Private SaaS Appliances (on-premise) as well.”  was stated in an analysis released by the security firm.