Auth0 Security Bulletin for Assigning Scopes Based on Email Address


If you:

  • Use rules to assign scopes to users based on their email addresses and

  • Your application uses multiple connections

There is a possibility that your scopes could be compromised.

How This Works

Auth0 requires that email addresses are unique on a per-connection basis. However, there are no limitations on a per-application basis.

Therefore, it is possible for user A to sign up for the application using one connection and user B to sign up for the application with the same email address using a different connection.

If your rules assign scopes to users based on email address, the second user has now been given the same scopes as the first user, despite being a different individual.

How do I fix this?

The most straightforward mitigation is to require users to verify their email address after signing up and before being allowed to log in.