Researchers at Imperva on Tuesday found that the subdomain names of Auth0 are susceptible to security issues, allowing attackers to launch phishing attacks, harvest user credentials, or even possibly launching cryptomining attacks.
Auth0 after this article was originally published reached out to deny and call into question Imperva’s blog post, citing “factual inaccuracies” within the blog.
Imperva took down the blog for two hours, before re-posting the blog, unchanged, onto its website. The company gave no further explanation to Threatpost about why it took down the blog then put it back online, despite multiple emails and phone calls.
“There are thousands of ways to perpetrate the same kind of phishing attempt on any company, aside from Auth0,” Joan Pepin, the CISO and vice president of operations at Auth0, told Threatpost in an email.
“While Imperva recognizes Auth0 as a leader in the security space and singled us out for the purposes of this blog post, social engineering like this can be executed in countless ways, especially when someone chooses to take advantage of our platform’s extensibility and flexibility,” Pepin told Threatpost. “Our documentation provides specific guidelines that were not followed in this case, such as using a custom domain, that would eliminate the risk altogether.”
Researcher Daniel Svartman said Imperva was thinking of using Auth0 as one of its product’s authentication mechanisms, so he was conducting some research on the service. During this process, he found potential security problems with the service’s subdomain registrations.
“Essentially, an attacker could spoof a legitimate website using the subdomain name from a different region,” Imperva researchers said in a post on Tuesday. “The attack would be very difficult to identify and could result in visitors to the site not realizing it is fake and handing over sensitive information.”
(Score: 0) by Anonymous Coward on Saturday June 09 2018, @07:41PM (1 child)
Libraries are a thing last time I heard.
(Score: 2) by darkfeline on Saturday June 09 2018, @10:41PM
If you have more than one server, you cannot authenticate locally. At best, you can use client libraries, but you're still going to need a central authentication service.
Outsourcing the authentication service could be a good idea. Even with the downsides of outsourcing such a crucial component, most companies do not have the resources to do a better job in-house. If I had to use the services of a small scrappy startup, I would very much prefer they use an external authentication service than handrolling their own.
Join the SDF Public Access UNIX System today!