Privilege Escalation Attack on Auth0

Hello everyone,
In my use case, I have a website accessible only to authenticated users. I do have a large number of admins and a large number of users. I have Auth0 setup (free at this point) and it is working perfectly. However, I have a case where an authenticated user managed to steal the cookie of an admin and by doing so the user gained admin privileges!

Any ideas or advice on how to fix this security bug?
Your help is much appreciated! Thanks in advance.


Hey there @john.r.johne, while I look into this challenge and bring it up to my team, I do have a couple questions. Do you know the end user who stole the cookie? How do you have Auth0 implemented? Have you disabled the admin’s account until this can be resolved? If you have your tenant name along with both user/admin details, please direct message them to me so I can further investigate what may be occurring. Thank you in advance.

1 Like

I wanted to let you know I sent you a follow up DM @john.r.johne. When you get a chance can you give that a look? Thanks!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.