|
|
|
|
|
|
by sakopov
2937 days ago
|
|
|
> The specific idea behind the security researcher’s phishing scam was a way to target a website that uses Auth0 authentication. Auth0 supports regional subdomains: auth0.com, eu.auth0.com, and au.auth0.com. A bad actor could potentially attempt to scam users of a website or application that uses one of the subdomains by registering any of the other regional subdomains while using the same name. The attacker could then set up a custom page on their subdomain and, assuming that they had access to the email addresses of users, send them a link and attempt to solicit secure information from them. Similar scams could be attempted using any domain that users could mistake for a legitimate one. I'm genuinely curious... why is registering an account on auth0.com doesn't automatically provision it on regional sub-systems eu/au.auth0.com? Is this a common pattern with other companies in general? |
|
|