Clickjacking via iframes

Our security team flagged a medium severity security concern with Auth0 login, during a penetration test on a regular web app secured with Auth0. The concern is about the potential for click-jacking. Whilst I’ve already asked about CSP as one defense, it is also suggested to add this header in your login web pages to prevent them opening in iframes:

X-FRAME-OPTIONS: deny

I note that this is a “should” recommendation in the OAuth2 spec.

Hi @davidread,

Thank you for bringing this to our attention. I am reporting it to our security team, and will report back here with any further details.

Thanks,
Dan

edit: as mathias mentioned, we ask that future security concerns be submitted to Auth0: Secure access for everyone. But not just anyone. and not disclosed publicly. Thanks again for reaching out @davidread

@davidread Did you check Clickjacking Protection for Universal Login Change?

Instead of adding these headers for all customers, therefore, Auth0 has added an opt-in for these headers which we strongly recommend you to enable.
You can do this by navigating to Tenant Settings > Advanced Settings, scrolling to ‘Migrations’, and turning OFF the ‘Disable clickjacking protection for Classic Universal Login’ setting. This action is not required if you are using the New Universal Login Experience as those headers are always set.

You can enable the clickjacking protection there:

If you still have concerns, please use our Responsible Disclosure Program for anything that might be a security vulnerability. Auth0: Secure access for everyone. But not just anyone.. In fact, this should always be the first contact point for any security concerns.

1 Like

Many thanks Dan and Mathias - that option fixes it for me, so thanks for linking to that.

Good call that these conversations are better under responsible disclosure - will do so next time.

3 Likes

Glad to hear that solved it.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.