We currently use Auth0 to manage our authentication. We have discovered a vulnerability where an attacker can get access to someone’s account by using the “Log In with Google”. We figure Auth0 must have seen this issue several times before, and may have suggestions on the best ways to fix it.
Steps To Reproduce:
The victim will create a account using the option “Log In with Google”
The attacker creates an account using the same email and a new password
Victim will receive a email to confirm the account
The attacker waits for the victim to click on the confirmation link and he will be able to log in using the password he set for the victim’s account
It sounds like you are using account linking to link the username/password account with the Google social account. Don’t do that! When linking two accounts, you should require proof that the user has access to both.
Before allowing login with a secondary account for the same email address you should link both accounts (User Account Linking).
Your account linking process should include authenticating with the primary account (Google in your case) before linking the secondary (email/password). Look at the Account Link Extension for an example of the flow (Account Link Extension)
An alternative would be to use a custom email verification flow which would prompt the user to authenticate before marking the email as verified. Hopefully Auth0 will bake that into a future version of the product.