MFA bypass when using silent authentication

Disclosed by
lboy
  • Engagement Undisclosed
  • Disclosed date over 1 year ago
  • Priority P3 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by customer

Okta Customer Identity Cloud (formerly Auth0) would like to thank the TrueLayer security team and the researcher for their collaboration in discussing and identifying the specific conditions resulting in the issue, and for the camaraderie shown among our teams during the remediation efforts.

We look forward to the continued partnership. Thank you for helping us keep the Auth0 product secure.

Summary by lboy

A security researcher discovered a way to bypass MFA in the login action of TrueLayer's Console when using a known username/password. The bug was only present when certain conditions were met, with the silent authentication feature enabled. The TrueLayer security team reproduced the issue in both TrueLayer's tenant and in other tenants, and therefore determined that it was most likely a bug in Auth0's implementation. After working with the Auth0 security team and HackerOne triagers, Auth0 were able to reproduce it and roll out a fix.

Activity