User automatically proceeds through the Auth0 universal login after app uninstall #761
Open
6 tasks done
Labels
bug
This points to a verified bug in the code
Checklist
Description
If the user logs in via Universal Login, and then decides to uninstall and reinstall the app (without first logging out), and then go through Universal Login again, the user will automatically go through without resubmitting and verifying their credentials.
This bug seems to expose a potential security vulnerability with the Auth0 SDK implementation, and to be honest I am extremely surprised this hasn't been patched.
This is related to this other issue regrading ephemeral session support. I humbly think such support should be default behavior on Auth0. Otherwise we run into super weird behavior cases such as this one.
I've verified this occurs on the Sample, both on
2.11.0
(which our organization is using), and on latestmain
.We can try triggering the logout flow every time before starting the login flow, but the UX is not smooth and will make our app look bad.
Please advise any more viable workarounds. If this is not as much a security concern as how I'm making out to be, please provide a message I can share with our organization if they decide to consider this a blocker for us adopting the Auth0 Android SDK. Thank you
Reproduction
Additional context
No response
Auth0.Android version
2.11.0
Android version(s)
14
The text was updated successfully, but these errors were encountered: