Account Takeover using "Log In with Google"

We currently use Auth0 to manage our authentication. We have discovered a vulnerability where an attacker can get access to someone’s account by using the “Log In with Google”. We figure Auth0 must have seen this issue several times before, and may have suggestions on the best ways to fix it.

Steps To Reproduce:

  • The victim will create a account using the option “Log In with Google”
  • The attacker creates an account using the same email and a new password
  • Victim will receive a email to confirm the account
  • The attacker waits for the victim to click on the confirmation link and he will be able to log in using the password he set for the victim’s account

Any idea on how to patch this vulnerability?

Hi @jusliu

It sounds like you are using account linking to link the username/password account with the Google social account. Don’t do that! When linking two accounts, you should require proof that the user has access to both.

John

1 Like

Before allowing login with a secondary account for the same email address you should link both accounts (https://auth0.com/docs/users/user-account-linking).

Your account linking process should include authenticating with the primary account (Google in your case) before linking the secondary (email/password). Look at the Account Link Extension for an example of the flow (https://auth0.com/docs/extensions/account-link-extension#how-does-the-extension-work-)

An alternative would be to use a custom email verification flow which would prompt the user to authenticate before marking the email as verified. Hopefully Auth0 will bake that into a future version of the product.

Thanks for everyone’s help! Investigated and figured out what was going on!

1 Like

Perfect! Glad to hear that! Can you share your findings here for the benefit of others? Thank you!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.