Auth0 Security Bulletin for Assigning Scopes Based on Email Address
Overview
If you:
Use rules to assign scopes to users based on their email addresses and
Your application uses multiple connections
There is a possibility that your scopes could be compromised.
How This Works
Auth0 requires that email addresses are unique on a per-connection basis. However, there are no limitations on a per-application basis.
Therefore, it is possible for user A to sign up for the application using one connection and user B to sign up for the application with the same email address using a different connection.
If your rules assign scopes to users based on email address, the second user has now been given the same scopes as the first user, despite being a different individual.
How do I fix this?
The most straightforward mitigation is to require users to verify their email address after signing up and before being allowed to log in.