[mgonto]

Hey,

This is Gonto. I'm the VP, Marketing and Growth at Auth0. I want to assure you that in no way is Auth0's platform insecure, or is any customer domain at risk. This is not a vulnerability, a flaw, nor is there anything to be patched. To learn more about this, please check our blog post: https://auth0.com/blog/phishing-attacks-with-auth0-facts-fir...

Thanks!

[sakopov]

> The specific idea behind the security researcher’s phishing scam was a way to target a website that uses Auth0 authentication. Auth0 supports regional subdomains: auth0.com, eu.auth0.com, and au.auth0.com. A bad actor could potentially attempt to scam users of a website or application that uses one of the subdomains by registering any of the other regional subdomains while using the same name. The attacker could then set up a custom page on their subdomain and, assuming that they had access to the email addresses of users, send them a link and attempt to solicit secure information from them. Similar scams could be attempted using any domain that users could mistake for a legitimate one.

I'm genuinely curious... why is registering an account on auth0.com doesn't automatically provision it on regional sub-systems eu/au.auth0.com? Is this a common pattern with other companies in general?

[sbr464]

One random idea, not sure how practical - Do a screenshot analysis/pattern matching on all customer login pages. If verbiage or screenshot matches are close enough, it get's flagged for human review. This would only work on the pages at different auth0 domains obviously. Since the login url endpoints are saved in the Auth0 admin console, it could be easy to directly check the page. If that doesn't work, you could require customers store the login url's to make scanning them easier.

[sbr464]

A potential easier approach could be detecting when an existing auth0 user attempts to access an abnormal auth0 subdomain. Even if the user gives up their user/pass accidentally you could send an email warning to review their activity. You can fingerprint the user's browser or ip address to help identify them if you don't have any other info.

[xxgreg]

This blog post doesn't actually respond to the main security concern raised.

"malicious-service-a.com" spoofing "service-a.com" is different than "eu.auth0.com" spoofing "au.auth0.com".

In the second case both domains are valid auth0 domains. This makes it harder for a user to detect the phishing. This seems like a legitimate concern.

[sbr464]

To expand discussion, what about proactive tooling or enhancements to the Auth0 libraries or web dashboard to help strengthen defenses? Off the top of my head, similar to features provided by the startup, castle.io, and others.