Update: Subdomain flaw puts users at risk

News by Rene Millman

Security researchers are reporting a phishing attack technique which hackers may be using in the wild, and could put websites at risk of attack.

Daniel Svartman, security researcher at Imperva, says he has discovered a potential phishing attack whereby an attacker could spoof a legitimate website using the subdomain name from a different region, or for that matter, a different Top Level Domain as well. The attack would be very difficult to identify and could result in visitors to the site not realising it is fake and handing over sensitive information.
In his blog, Svartman had said that an unintended use of the service could let someone execute a phishing attack by using Auth0's feature to write JavaScript in custom pages and using phishing techniques to steal credentials from authorised users.
Svartman found this attack methond while carrying out analysis on Auth0 (an identity-as-a-service offering with 2000 enterprise customers and 50 million logins a day) - however in a subsequent  email to SC Media UK Joan Pepin, CISO of Auth0,states that  “the reality is that any URL may be impersonated with a similar URL," adding, “In fact Svartman created a custom page in a subdomain with the same name but in a different region. By referring to use of XSS, the Imperva Post implies that the Auth0 platform contains an XSS vulnerability. This is untrue. There is nothing ‘cross-site' about this; it is simply ‘scripting'.” 
Svartman had reported that there are three different subdomains under auth0: Auth0.com, which hosts all sites from the Americas, eu.auth0.com, which hosts all sites from the European Union and probably Middle-East and au.auth0.com, for Asia Pacific (APAC) access. He added that each subdomain is 100 percent independent of the other, meaning that if company A registered their domain under auth0.com but not under eu/au.auth0.com, then someone else could do it.
The researcher said that he then registered under eu.auth0.com and au.auth0.com sites with the same name as the one registered by his colleagues to test his theory.
“In addition, I created the same landing page for the fake sites as their real counterparts, with one small difference. A JavaScript was written within the landing page code that harvests users' credentials (username and password), sends them to me via AJAX and later redirects to the real login page, authenticating users. This step is fairly straight-forward, and any moderately skilled hacker could do it within a short amount of time,” he said.
Imperva contacted Auth0, which responded saying, “We also provide our users with an option to enable multi-factor authentication through Duo Security, Google Auth or our Guardian application. Enabling mentioned controls in place like MFA would increase the security of users accounts significantly. That's something we always recommend.”

Pepin noted that phishing is an extremely common attack and for the unsuspecting or unprepared, it can be very easy to fall victim.
“None of what is described in the article is specific to Auth0's platform,” she said.
“It's also important to note that the author used the Auth0 domain in his examples. In production, we advise our customers to use a domain they own (also known as a custom domain). If used properly a custom domain would mitigate this attack. We provided the author with several other key steps that would have prevented this, but he chose not to employ them or include them in his post,” added Pepin.
A company statement sent to SC Media UK adds, “the attack would only apply to sites where duplicate subdomains can be registered by a bad actor, and would in addition require Auth0 customers to disregard the Auth0 best practice recommendations that Svartman himself actively chose to ignore. Further, given the way in which phishing attacks work, the reality is that virtually any website is at risk from a phishing attack that mimics the site's correct name; it is misleading to single Auth0 out as being a cause of this risk.”

Svartman added that as things currently stand, Auth0 is working on getting rid of the ability to register the same account name in different regions.
“The flaw still exists and the only way Auth0 could mitigate it is by preventing other users from registering domains with the same name as other customers on different regions,” said Svartman. Auth0 responded that: “It is simplistic and unrealistic to suggest that Auth0 should control its customers' domain name choices, let alone to imply that this is a ‘flaw' in the Auth0 platform.”
Sam Haria, Global SOC manager at invinsec, told SC Media that due to the nature of the threat, it is extremely easy for the attacker to execute this exploit, it only requires the intended victims online ID or email address.  Auth0 said in its statement to SC Media UK: “Nothing about the Auth0 platform aids in the discovery of an Auth0 customers' email addresses, nor would any Auth0 customer expect Auth0 to control what email addresses a customer chooses to use. Further, it is disingenuous to refer to this as an exploit – it is simply a phishing attack.”
“The organisation has over 2000 enterprise customers (some really big industry names) and therefore to work out email addresses will not be difficult. User IDs would be a little more challenging but nothing that would cause great difficulty to the attacker,” Haria said.
Dave Kennerley, director of Threat Research at Webroot, told SC Media UK that organisations can mitigate the risks of this attack vector greatly through the process of employee education, especially with regards to phishing. Employees should avoid clicking on links in emails where possible.  

“Auth0 have stated they have been working to remove the ability to register the same account name in multiple regions, and in the meantime, organisations worried about the potential risk could proactively (in theory) register their accounts in all available regions, thus eliminating the issue highlighted,” he said.

Imperva initially pulled its blog to consider AuthO concerns, but decided to repost it, commenting in an email to SC Media UK, "This Imperva blog post is about phishing attempts more generally. As noted in the blog, we are referencing an unintended use and how someone could execute a phishing technique to steal credentials. As with all of our research, our point is to help customers and readers of the blog protect themselves from cyber-criminals."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews