MFA bypass when using silent authentication - CrowdStream

Summary by customer

Okta Customer Identity Cloud (formerly Auth0) would like to thank the TrueLayer security team and the researcher for their collaboration in discussing and identifying the specific conditions resulting in the issue, and for the camaraderie shown among our teams during the remediation efforts.

We look forward to the continued partnership. Thank you for helping us keep the Auth0 product secure.

Summary by lboy

A security researcher discovered a way to bypass MFA in the login action of TrueLayer's Console when using a known username/password. The bug was only present when certain conditions were met, with the silent authentication feature enabled. The TrueLayer security team reproduced the issue in both TrueLayer's tenant and in other tenants, and therefore determined that it was most likely a bug in Auth0's implementation. After working with the Auth0 security team and HackerOne triagers, Auth0 were able to reproduce it and roll out a fix.

Activity

gw_auth0_security Customer published the disclosure report
2 years ago(12 May 2023 18:04:23 UTC)
lboy sent a message
2 years ago(12 May 2023 09:30:00 UTC)
lboy updated the disclosure summary
2 years ago(12 May 2023 09:28:49 UTC)
gw_auth0_security Customer sent a message
2 years ago(11 May 2023 16:30:57 UTC)
lboy requested disclosure
2 years ago(02 May 2023 11:08:55 UTC)
aa_auth0_security Customer sent a message
2 years ago(06 Dec 2022 17:23:28 UTC)
lboy sent a message
2 years ago(06 Dec 2022 11:16:59 UTC)
mp_auth0_security Customer sent a message
2 years ago(29 Nov 2022 09:45:48 UTC)
mp_auth0_security Customer changed the state to Resolved
2 years ago(29 Nov 2022 09:44:04 UTC)
lboy sent a message
2 years ago(25 Nov 2022 09:18:30 UTC)
mp_auth0_security Customer sent a message
2 years ago(07 Nov 2022 12:11:24 UTC)
mp_auth0_security Customer changed the state to Unresolved
2 years ago(07 Nov 2022 12:10:45 UTC)
lboy sent a message
2 years ago(28 Oct 2022 16:32:00 UTC)
lboy resolved a blocker for Bugcrowd Operations by providing information on reproduction
2 years ago(28 Oct 2022 15:00:28 UTC)
lboy sent a message
2 years ago(28 Oct 2022 15:00:27 UTC)
soheesec_bugcrowd created a blocker on the researcher to provide information on reproduction
2 years ago(28 Oct 2022 08:16:26 UTC)
soheesec_bugcrowd sent a message
2 years ago(28 Oct 2022 08:16:06 UTC)
lboy sent a message
3 years ago(27 Oct 2022 16:03:33 UTC)
lboy claimed the submission
3 years ago(27 Oct 2022 15:59:51 UTC)
External Submission Form created the submission
3 years ago(27 Oct 2022 15:59:04 UTC)