A glitch in Auth0 could allow attackers to spoof a legitimate website and collect sensitive information from visitors.

UPDATE

Researchers are warning of a glitch in the Auth0 identity-as-a-service offering, which could allow bad actors to spoof a legitimate website and collect sensitive information from visitors.

Researchers at Imperva on Tuesday found that the subdomain names of Auth0 are susceptible to security issues, allowing attackers to launch phishing attacks, harvest user credentials, or even possibly launching cryptomining attacks.

Auth0 after this article was originally published reached out to deny and call into question Imperva’s blog post, citing “factual inaccuracies” within the blog.

Imperva took down the blog for two hours on Wednesday, before re-posting the blog later in the day, unchanged, onto its website. Imperva then took down the post on Friday, only to re-post it hours later. This time Imperva released the following statement explaining why it took down and re-posted the blog post multiple times.

“On June 6, Auth0 informed us of their concerns with the blog. Out of respect for Auth0, we pulled down the blog while we reviewed their concerns. After careful consideration, we stand behind the original blog post and have reposted the blog. We disagree with the Auth0 comment that our blog post is inaccurate. This Imperva blog post is about phishing attempts more generally. As noted in the blog, we are referencing an unintended use and how someone could execute a phishing technique to steal credentials. As with all of our research, our point is to help customers and readers of the blog protect themselves from cybercriminals.”

Responding to Imperva’s original blog post, Joan Pepin, the CISO and vice president of operations at Auth0, told Threatpost on Wednesday in an email there are “thousands of ways to perpetrate the same kind of phishing attempt on any company, aside from Auth0.” She downplayed the severity of Imperva’s research.

“While Imperva recognizes Auth0 as a leader in the security space and singled us out for the purposes of this blog post, social engineering like this can be executed in countless ways, especially when someone chooses to take advantage of our platform’s extensibility and flexibility,” Pepin told Threatpost. “Our documentation provides specific guidelines that were not followed in this case, such as using a custom domain, that would eliminate the risk altogether.”

Researcher Daniel Svartman said Imperva was thinking of using Auth0 as one of its product’s authentication mechanisms, so he was conducting some research on the service. During this process, he found potential security problems with the service’s subdomain registrations.

“Essentially, an attacker could spoof a legitimate website using the subdomain name from a different region,” Imperva researchers said in a post on Tuesday. “The attack would be very difficult to identify and could result in visitors to the site not realizing it is fake and handing over sensitive information.”

Auth0 has three different subdomains, found Svartman: Auth0.com, which hosts sites from the Americas, Eu.Auth0.com, for sites in the EU, and AU.Auth0.com, for APAC access.

“Each subdomain is 100 percent independent of the other, meaning that if company A registered their domain under auth0.com but not under eu/au.auth0.com, then someone else could do it,” said Svartman.

That means that bad actors could potentially register under a domain under a different location purporting to be a legitimate product’s website that exists in another domain location.

To test this, Svartman said he was able to register under the eu.auth0.com and au.auth0.com sites with the same name as a product registered by his teammates on the product side (auth0.com was a real product, the other domain registrations were fake) and a slight difference in the name.

To make matters worse, Auth0 also provides users with flexibility to customize the “Login” and “Forgot Password” pages on their eu.auth0.com and au.auth0.com sites.

“This ‘flexibility’ includes the capability of writing/embedding JavaScript code within the custom pages,” said Svartman.

Because of this feature, Svartman said he could create same landing page for the fake sites as their real counterparts – but also write JavaScript code within the landing page that harvests users’ credentials (username and password), which then sends them to the bad actor via Asynchronous JavaScript And XML (AJAX) and later redirects users to the real login page, authenticating them.

“This step is fairly straightforward, and any moderately skilled hacker could do it within a short amount of time,” said Svartman.

Auth0 identity-as-a-service offering has around 2,000 enterprise customers in over 70 counties; the company boasts that it racks up 42 million logins a day. The implications of the ability to write JavaScript code in a widely deployed product used for single sign-on (SSO) could be disastrous, warned Svartman – especially with more attacks, like those of Target and Home Depot, on companies coming through third-party suppliers and vendors.

“Let’s just think about some previous attacks against big companies like Target and Home Depot,” he said. “They relied a lot on suppliers and vendors, who had access to their systems. A single mistake on one of their suppliers led to some of the biggest data breaches in history. Now imagine how easy I could compromise a vendor of one of these big companies if they use an SSO platform that lacks basic security controls?”

Auth0 for its part said that they can’t disable the Javascript coding capability, as it’s a feature for customers’ landing pages, but that they are working on getting rid of the ability to register the same account name in different regions.

The company also said that it provides additional security checks like breached password protection and anomaly detection.

The article was updated June 6 at 3:00 p.m. to reflect Auth0’s statements and the fact that the blog post was taken down and then reposted.

The article was updated June 8 at 11:15 a.m. to reflect the fact that the blog post was once again taken down.

The article was updated June 8 at 2:24 p.m. to reflect the fact that the Imperva blog post was once reposted.