Why are wildcard subdomains considered to be insecure?

Problem statement

Due to the nature of our business, we would need to configure our application with a large number of Allowed Callback URLs and Allowed Logout URLs. We thought the wildcard subdomains might help but the Auth0 documentation states that they should not be used in a production environment:

What is the exact nature of the security threat that wildcard subdomains might pose to my application?

Solution

The risk is mainly around the threat of a subdomain takeover scenario.

Risks would depend on which of the configured URL these wildcards are used on. These might be the potential consequences for each type:

  • Callback URLs could potentially direct the resulting access/id tokens back to the wrong receiver. (e.g. allowing user spoofing/impersonation)
  • Logout URLs could let users be redirected to the wrong destination after logging out. (e.g. spoofing via a phishing site)
  • Origin URLs that would otherwise prevent sign in requests, could no longer specify that protection. (e.g. cookies leaked in follow up requests)

In general the recommendation is, when the list of subdomains is finite and known, always define and maintain that list instead of using a wildcard character. The use of wildcards is like leaving the door open. One of the subdomains might not be using HTTPS and if the tokens were included because a previous request authenticated through another subdomain app, they could be easily intercepted. In summary, you need to balance security vs maintainability (of the subdomain lists).