Authentication Bypass Vulnerability Found in Auth0 Identity Platform

A critical authentication bypass vulnerability has been discovered in one of the biggest identity-as-a-service platform Auth0 that could have allowed a malicious attacker to access any portal or application, which are using Auth0 service for authentication.

Auth0 offers token-based authentication solutions for a number of platforms including the ability to integrate social media authentication into an application.

With over 2000 enterprise customers and managing 42 million logins every day and billions of login per month, Auth0 is one of the biggest identity platforms.

While pentesting an application back in September 2017, researchers from security firm Cinta Infinita discovered a flaw (CVE-2018-6873) in Auth0's Legacy Lock API, which resides due to improper validation of the JSON Web Tokens (JWT) audience parameter.

Researchers successfully exploited this issue to bypass login authentication using a simple cross-site request forgery (CSRF/XSRF) attack against the applications running over Auth0 authentication.

Auth0's CSRF vulnerability (CVE-2018-6874) allows an attacker to reuse a valid signed JWT generated for a separate account to access the targeted victim's account.

For this, all an attacker needs is the victim's user ID or email address, which can be obtained using simple social engineering tricks.

Video Demonstration of the Attack

According to the researchers, the attack is reproducible against many organisations, "as long as we know the expected fields and values for the JWT. There is no need of social engineering in most of the cases we saw. Authentication for applications that use an email address or an incremental integer for user identification would be trivially bypassed."

The security firm reported the vulnerability to the Auth0 Security Team in October 2017. The company acted very fast and addressed the weakness in less than 4 hours.

However, since the vulnerable SDK and supported libraries of Auth0 have been implemented on the client side, Auth0 took almost six months to contact each of their customers and help them fix this vulnerability, before publicly disclosing this issue.

"Unlike the fix for the special case discovered by Cinta Infinita, this issue could not be solved without forcing our customers to upgrade the libraries/SDKs on their end, a much more significant undertaking," the Auth0 team said in its advisory.

The company has mitigated the vulnerabilities by extensively rewriting the affected libraries and releasing new versions of its SDKs (auth0.js 9 and Lock 11).

Cinta Infinita also waited six months before publicly disclosing the vulnerability, giving the Auth0 team enough time to update all their Private SaaS Appliances (on-premises) as well.

The security firm has now released a proof-of-concept (PoC) video, demonstrating how they obtained the victim's user id and bypass password authentication when logging into Auth0's Management Dashboard by forging an authentication token.