Hasty Briefsbeta

AI slop security engineering: Okta's NextJS-0auth troubles

5 days ago
https://joshua.hu/ai-slop-okta-nextjs-0auth-security-vulnerability
Copy Link
  • #AI
  • #security
  • #Okta
  • Reported two security issues to Okta’s auth0/nextjs-auth0 project in October.
  • One bug was an oauth parameter injection allowing token scoping abuse and token leaks.
  • Submitted a simple PR to fix the issue.
  • PR was closed after 3 weeks, with the maintainer attributing the fix to someone else via an AI-generated commit.
  • Maintainer admitted to using AI, which led to incorrect attribution and an AI-generated apology.
  • Request to correct commit attribution was refused, raising copyright concerns.
  • AI-generated details included a non-existent email, suggesting low-quality AI usage.
  • First bug, allowing account hijacking, was fixed but not recognized as a security issue without a demonstration video.
  • Maintainer Tushar Pandey did not correct the attribution mistake.
  • Okta’s security team demanded a video proof for vulnerability recognition, deemed as an unreasonable requirement.
AboutLogin