Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Saturday June 09 2018, @10:47AM   Printer-friendly
from the another-day-another-exploit dept.

Researchers at Imperva on Tuesday found that the subdomain names of Auth0 are susceptible to security issues, allowing attackers to launch phishing attacks, harvest user credentials, or even possibly launching cryptomining attacks. 

Auth0 after this article was originally published reached out to deny and call into question Imperva’s blog post, citing “factual inaccuracies” within the blog.

Imperva took down the blog for two hours, before re-posting the blog, unchanged, onto its website. The company gave no further explanation to Threatpost about why it took down the blog then put it back online, despite multiple emails and phone calls.

“There are thousands of ways to perpetrate the same kind of phishing attempt on any company, aside from Auth0,” Joan Pepin, the CISO and vice president of operations at Auth0, told Threatpost in an email.

“While Imperva recognizes Auth0 as a leader in the security space and singled us out for the purposes of this blog post, social engineering like this can be executed in countless ways, especially when someone chooses to take advantage of our platform’s extensibility and flexibility,” Pepin told Threatpost. “Our documentation provides specific guidelines that were not followed in this case, such as using a custom domain, that would eliminate the risk altogether.”

Researcher Daniel Svartman said Imperva was thinking of using Auth0 as one of its product’s authentication mechanisms, so he was conducting some research on the service. During this process, he found potential security problems with the service’s subdomain registrations.

“Essentially, an attacker could spoof a legitimate website using the subdomain name from a different region,” Imperva researchers said in a post on Tuesday. “The attack would be very difficult to identify and could result in visitors to the site not realizing it is fake and handing over sensitive information.”


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Sunday June 10 2018, @02:26AM (1 child)

    by Anonymous Coward on Sunday June 10 2018, @02:26AM (#691008)
    Yes, it is actually very hard to roll your own and do it properly and securely. Also, it’s a big headache for users to maintain logins for every damn site that wants one. If someone can do user authentication right, it might be like Kerberos at web scale.
  • (Score: 0) by Anonymous Coward on Sunday June 10 2018, @03:11PM

    by Anonymous Coward on Sunday June 10 2018, @03:11PM (#691108)

    I've seen auth0 implemented a couple of times. Badly. Breaks easily. Does not work properly. From what I can tell it causes the local energy company a serious headache to the point that their helpdesk staff know what it is. Fail.