Zero to Account Takeover: How I ‘Impersonated’ Someone Else Using Auth0
Since the publication of this blog, attempts have been made to discredit our findings, methodology and accuracy. Imperva stands by our research. Our findings were reported to Auth0 as part of their own bug bounty program, following their official process. Auth0 was kept informed of our findings and was provided with a draft of this blog post, which they reviewed and approved prior to publication. As noted in the blog, we are referencing an unintended use and how someone could execute a phishing technique to steal credentials. As with all of our research, our goal is to help customers and readers of the blog protect themselves from cybercriminals.
There’s a fine line between an unintended use and a bug; this was my conclusion after taking a look at Auth0, an identity-as-a-service offering with 2000 enterprise customers – more or less the size of Schneider Electric, Atlassian, Dow Jones, Nvidia, and Mozilla, among others – and 42 million logins a day.
In this post I’ll explain how this “unintended use” could let someone execute a phishing attack by utilizing cross-site scripting to inject code and using phishing techniques to steal credentials from authorized users. Pretty scary considering Auth0’s main purpose is to confirm users’ identities.
I don’t like long stories, so I’ll try to get straight to the point. While doing some research on auth0 (since we thought about using it as one of our product’s authentication mechanisms), I came across the following:
- There are three different subdomains under auth0:
- Auth0.com, which hosts all sites from the Americas
- Eu.auth0.com, which hosts all sites from the European Union and probably Middle-East
- Au.auth0.com, for Asia Pacific (APAC) access.
- Each subdomain is 100% independent of the other, meaning that if company A registered their domain under auth0.com but not under eu/au.auth0.com, then someone else could do it.
So far so good, right? Not quite
As you know, attackers are getting smarter (not to mention younger, with a lot of time to play around). So, trying to emulate this behavior, I came up with the wild idea of registering under eu.auth0.com and au.auth0.com sites with the same name as the one registered by my teammates on the product side (let’s call it Product).
So, we ended up having:
- auth0.com à the real product
- eu.auth0.com à first fake site
- au.auth0.com à second fake site
Ok, sure, there are slight differences in the name. The question here is whether someone will pick up on the differences (since the site certificate is the same for all and is a trusted one) or just skip over them.
Let’s just think about some previous attacks against big companies like Target and Home Depot. They relied a lot on suppliers and vendors, who had access to their systems. A single mistake on one of their suppliers led to some of the biggest data breaches in history. Now imagine how easy I could compromise a vendor of one of these big companies if they use an SSO platform that lacks basic security controls?
Responding to our research, Auth0 added that they provide additional security checks like:
“We also provide our users with an option to enable multi-factor authentication through Duo Security, Google Auth or our Guardian application. Enabling mentioned controls in place like MFA would increase the security of users accounts significantly. That’s something we always recommend.”
How was this addressed by auth0? We reached out to them and they mentioned that:
- They are actively looking for malicious kind of scripting within the landing pages as a preventive measure.
- They will enhance their security policy to prevent potential misuse of the service.
Auth0 added that as thing currently stand, they are working on getting rid of the ability to register the same account name in different regions.