Auth0 Home Blog Docs

Can a Hacker with Admin Permission to My Desktop View My Access Tokens or Connection Properties

security-questions
#1

I am writing a WPF desktop application. I use the Auth0 SDK to login into my Auth0 domain and obtain an access token to my API and an ID token. I do so by calling

LoginResult loginResult = await client.LoginAsync(extraParameters)

My loginResult.AccessToken and loginResult.IdentityToken contain my tokens as I expect.

Isn’t it possible for a hacker who obtains Admin access to my computer to see these tokens stored in RAM or if persisted to the disc cache? If so, can’t he use these tokens to access my APIs?

How does one prevent this from happening?

#2

Hello @TheLoneCoder,

If someone gains administrative access to your computer, then “all bets are off” as they say. You cannot stop them from accessing everything and anything on your machine, and leveraging any existing connections to other services.

The best ways to mitigate this risk is to use multi-factor authentication capabilities, and keep your token lifetime short. There’s still a risk there, but there’s only so much you can do once someone has root privileges on your machine.

1 Like