• If you use Auth0 you are not vulnerable to this attack.
  • This attack is not new.
  • It would only affect your application if it connects with OAuth providers that don't perform FULL redirect_uri checks (e.g. Facebook).
  • For you to be vulnerable, your web site needs to have an endpoint that blindly redirects the browser to whatever URL including all its parameters.

Tell me more…

Here is a longer and deeper description of the issue.

How we addressed this issue?

As we did with Heartbleed a month ago, we acted inmediately. The moment this hit the news we got in touch with the security experts from Sakurity, the consulting company we hired to audit our platform. We've been working very closely with Egor Homakov and his team on a weekly basis. Egor is a trusted and well known security consultant who has found vulnerabilities on several OAuth providers. The moment this vulnerability was reported he re-assessed Auth0 and found we were not vulnerable to this attack, because we don't have open redirectors on the server. Egor published about this on his blog

It is worth mentioning that Egor had warned us all about this vulnerability a year ago.