We currently use Auth0 to manage our authentication. We have discovered a vulnerability where an attacker can get access to someone’s account by using the “Log In with Google”. We figure Auth0 must have seen this issue several times before, and may have suggestions on the best ways to fix it.
Steps To Reproduce:
- The victim will create a account using the option “Log In with Google”
- The attacker creates an account using the same email and a new password
- Victim will receive a email to confirm the account
- The attacker waits for the victim to click on the confirmation link and he will be able to log in using the password he set for the victim’s account
Any idea on how to patch this vulnerability?