Can a Hacker with Admin Permission to My Desktop View My Access Tokens or Connection Properties

TheLoneCoder · February 8, 2019, 7:39am

I am writing a WPF desktop application. I use the Auth0 SDK to login into my Auth0 domain and obtain an access token to my API and an ID token. I do so by calling

LoginResult loginResult = await client.LoginAsync(extraParameters)

My loginResult.AccessToken and loginResult.IdentityToken contain my tokens as I expect.

Isn’t it possible for a hacker who obtains Admin access to my computer to see these tokens stored in RAM or if persisted to the disc cache? If so, can’t he use these tokens to access my APIs?

How does one prevent this from happening?

markd · February 8, 2019, 1:45pm

Hello @TheLoneCoder,

If someone gains administrative access to your computer, then “all bets are off” as they say. You cannot stop them from accessing everything and anything on your machine, and leveraging any existing connections to other services.

The best ways to mitigate this risk is to use multi-factor authentication capabilities, and keep your token lifetime short. There’s still a risk there, but there’s only so much you can do once someone has root privileges on your machine.

Topic		Replies	Views
auth0.getTokenSilently vs storing access token in localstorage Get Help auth0-spa-js , sdks-quickstarts	0	1629	June 22, 2023
Identity provider access tokens in actions Get Help access_token , access-token	9	4183	March 14, 2022
Where Do you Suggest Storing the Auth0 Domain and Client ID in a WPF Application? Get Help	7	5755	February 26, 2019
Basic Auth0 question about JWT id_tokens and Universal Login flow Get Help login-experience , new-universal-login-experience	4	797	September 7, 2023
Does Auth0 prevent the user to be logged in at two different places? Get Help authentication-api	10	5799	May 25, 2019

Can a Hacker with Admin Permission to My Desktop View My Access Tokens or Connection Properties

Related topics