On July 31st, 2019 at 05:11 UTC, Insomnia Security responsibly disclosed a JWT validation bypass issue to Auth0 while performing a penetration test for one of our customers. A lone path of one of our older, stable versions of our codebase was not using our standard baseline JWT implementation, which allowed a case-insensitive JWS algorithm to match an "unsigned" verifier. This affected a very small subset of our endpoints.
After receiving the disclosure, we fixed the vulnerability within hours on the public cloud, and through logging, verified it was not being exploited in any way. We have seen zero signs that the vulnerability was discovered or exploited in the wild, and have recorded zero attempts to abuse the vulnerability.
We worked closely with Insomnia Security to immediately rectify the issue. As they state:
"Auth0's public platform was quickly patched and they rolled out patches to their private platform over time. Overall, the response from Auth0 was swift and pleasant. They quickly remediated the issue and appreciated the vulnerability report."
We take great care in our public libraries so that a vulnerability like this isn't available in our customers' or library users' code. Unfortunately, for this specific code path, we didn't rely on our own module, be assured we do now. Since this disclosure, we have:
Conducted an exhaustive exercise with Auth0 Engineering and Product Security to review our libraries.
Launched a Bug Bounty program to accelerate the identification and remediation of existing vulnerabilities.
Transparency is one of our core values and permeates throughout our company, including the way in which we communicate about issues. We appreciate the continued feedback from the security community-at-large to ensure we are providing the most secure platform for our global customers.
Timeline
July 31st, 2019 at 05:11 — UTC Email sent to the security team by the Insomnia researcher
July 31st at 08:30 UTC — Security Incident Channel created by Auth0 IR Team
July 31st at 13:18 UTC — Vulnerability confirmed and fix started
July 31st at 21:34 UTC — Fix deployed to our stable environment
July 31st at 22:45 UTC — Fix verified by the Auth0 Security Team
July 31st at 23:00 UTC — Fix validated in production and by security researchers
