Exploiting Auth0 Misconfigurations: A Case Study on Account Linking Vulnerabilities
How a Custom Token Generation Flow in Auth0 Enabled Unintended Account Linking
Jul 28, 20255 min read163
Command Palette
Search for a command to run...
Series
Bug Bounty Write-Ups
In this series, I’ll be publishing real-world write-ups of security vulnerabilities I found during penetration tests, bug bounty hunting, and security research. Expect advanced exploitation scenarios, PoCs, and some spicy edge-case bugs.
Chaining Auth0 Misconfigurations for 1-Click Account Takeover
Deep Dive into a Subtle Auth0 Misconfiguration Leading to Full Account Takeover Introduction This post documents a critical 1-click Account Takeover (ATO) vulnerability discovered in an application using Auth0 for authentication. By chaining: A hid...
Sep 1, 20254 min read1.4KExploiting Email Normalization and Custom Database Configurations in Auth0 for Account Takeover
<!-- Nykros -- > Introduction Authentication systems serve as the gatekeepers to user accounts and sensitive data. Ensuring their security is crucial to prevent unauthorized access, data breaches, and loss of user trust. Email normalization—the proce...
Sep 9, 20257 min read116AWS Cognito Chaos: The Major Flaw That Let Attackers Takeover User Accounts
<!-- Nykros -- > What’s Up, Everyone? Hope y’all are doing awesome! In this post, I’m gonna spill the beans on a bug I discovered while poking around a public program, I won’t be dropping any details about the actual target—just the relevant bits abo...
Sep 10, 20256 min read71