
Auth0 Glitch Allows Attackers to Launch Phishing Attacks - xkcd-sucks
https://threatpost.com/auth0-glitch-allows-attackers-to-launch-phishing-attacks/132554/
======
Osiris
I use auth0 on a project and reported this issue to them over 6 months ago.
They assured me that they would look into it. Clearly they did not.

~~~
devinegan
This is a big tell. Don't fall for Marketing spin above. They didn't take this
threat seriously, will they take any others seriously until it hits the
mainstream media? I would look closely at those you trust with authentication
if you outsource this critical piece of infrastructure.

------
mgonto
Hey,

This is Gonto. I'm the VP, Marketing and Growth at Auth0. I want to assure you
that in no way is Auth0's platform insecure, or is any customer domain at
risk. This is _not_ a vulnerability, a flaw, nor is there anything to be
patched. To learn more about this, please check our blog post:
[https://auth0.com/blog/phishing-attacks-with-auth0-facts-
fir...](https://auth0.com/blog/phishing-attacks-with-auth0-facts-first/)

Thanks!

~~~
sbr464
One random idea, not sure how practical - Do a screenshot analysis/pattern
matching on all customer login pages. If verbiage or screenshot matches are
close enough, it get's flagged for human review. This would only work on the
pages at different auth0 domains obviously. Since the login url endpoints are
saved in the Auth0 admin console, it could be easy to directly check the page.
If that doesn't work, you could require customers store the login url's to
make scanning them easier.

~~~
sbr464
A potential easier approach could be detecting when an existing auth0 user
attempts to access an abnormal auth0 subdomain. Even if the user gives up
their user/pass accidentally you could send an email warning to review their
activity. You can fingerprint the user's browser or ip address to help
identify them if you don't have any other info.

------
thosakwe
A bit disappointing to hear, seeing as Auth0 is probably the biggest name in
its niche.

Hopefully they patch it up, because I'd rather use them than rolling my own
username/password, or sending my users through Facebook/Google/other sites
that track you.

