
Recently, Auth0 was discovered to have a serious authentication bypass vulnerability. This vulnerability (CVE-2018-6873) stems from Auth0’s Legacy Lock API which does not properly validate the parameters of the JSON Web Tokens (JWT) and can then trigger a CSRF/SXRF vulnerability (CVE-2018-6874). An attacker only needs to know the user’s user ID or email address and can log in to this user’s application that uses Auth0 authentication.
Auth0 has more than 2,000 enterprise users and manages over 1.5 billion login verifications per day, making it one of the largest identity platforms. Auth0 has been updated to fix this vulnerability.
Affected version
js 9 & Lock 11
Unaffected Version
new versions of SDKs (auth0.js 9 and Lock 11)
Solution
The Auth0 official has issued a notice explaining the above vulnerabilities and has released a new version. The affected users should be updated and protected as soon as possible according to official instructions.
Inconvenient upgrade users can take the following measures to temporarily protect:
- For CVE-2018-6874, the user can set the Legacy Lock API flag in the service management panel to off, which disables cross-domain authentication, but the Universal Login page /login remains effective.
- The official recommendation is to use Multifactor authentication. Users who use this feature will not be affected by the above vulnerabilities.