In October, I reported two security issues in Okta’s auth0/nextjs-auth0 project here and here. The latter bug, an OAuth parameter injection, allows several types of abuse, such as scoping tokens for unintended services, setting redirect_uri And scope Arbitrary values for leaking tokens, etc.
The patch was simple enough, so I opened a PR:
diff --git a/src/server/helpers/with-page-auth-required.ts b/src/server/helpers/with-page-auth-required.ts
index 41af2dfe..f07046b8 100644
--- a/src/server/helpers/with-page-auth-required.ts
+++ b/src/server/helpers/with-page-auth-required.ts
@@ -196,7 +196,7 @@ export const appRouteHandlerFactory =
: opts.returnTo;
const { redirect } = await import("next/navigation.js");
redirect(
- `${config.loginUrl}${opts.returnTo ? `?returnTo=${returnTo}` : ""}`
+ `${config.loginUrl}${opts.returnTo ? `?returnTo=${encodeURIComponent(returnTo)}` : ""}`
);
}
return handler(params);
All’s well that ends well, right? Obviously, no.
The PR was closed, 3 weeks later, by the maintainer, an Octa0 (an Okta company) employee, with the following comment:
This is superseded by change #2413. This was to ensure that the commitments were signed. The original contribution history has been preserved. So I am closing this PR now.
Hmm, let’s take a look He PR:
 |
|---|
| auth0/nextjs-auth0 #2413 |
Hmm. That patch looks familiar. And who is Simen Olsen?
Emphasizing the attribution error, I replied:
History has been preserved
No, it is not so. I don’t know who “Simen AW Olsen my@simen.io” is, but it’s not me and my commit here doesn’t reference that name or email address at all. Was it AI generated or something else?
Of course, the answer was: yes. This was AI’s negligence.
Hello @MegaManSec I sincerely apologize for this attribution error.
Can confirm that an AI workflow was used to create the rebased commit, which got confused with the OP description. I’ve added a fix to #2413, and will make sure the changelog gets updated.
Thanks for highlighting this, we will make sure it doesn’t happen again.
Not only did the maintainer explain the above, but they also used AI to generate the response! In a now deleted comment, he apparently used some AI to respond to my complaint:
 |
|---|
| auth0/nextjs-auth0 now deleted comment #2413 |
With Classic ChatGPT”you are absolutely right”, It is very disappointing that this developer used AI:
- Take my report/PR and commit it yourself.
- Used AI to commit it, removing my attribution.
- Used the AI to “apologize” for using AI, then said “it won’t happen again” – (yes right; please provide a detailed explanation of how you would ensure this, when clearly a 1-line code change is too much for your AI to handle without breaking).
- Refused to fix the commit by removing the invalid/AI-generated-slop description and adding mine back.
Actually, asking:
I would appreciate a force correction to the commit to properly include my information in the commit.
I was told they couldn’t change it. This sounds like copyright violation to me: taking someone else’s code, then changing the author’s name?
what i really like the most interesting is true How This also became AI slope. I can’t find any reference to the email address “my@simen.io” anywhere online. On GitHub, the only reference to this email address is from the Nextjs-auth0 PR. Simen Olsen has never contributed to the nextjs-auth0 repository as far as I can tell (searching) org:auth0 author:simenandre on GitHub), and it doesn’t even seem to be their actual email address. So was this some kind of AI hallucination? And why? The code change was small. I don’t fully understand it: I really get it Never Did some AI tooling fail like this and come up with someone else’s (fake) contact details. This is absolutely absurd; Are auth0’s engineers doing something extremely (extremely) Low quality local model or something else? If ChatGPT failed like this for me even once out of every thousand times, I would never use it again.
Finally, at the time of writing this, the auth0/nextjs-auth0 maintainer, Tushar Pandey, who made all these mistakes, has not fixed the attribution mistake in the commit history. Also, the first bug in this software that allowed arbitrary account hijacking has been fixed after 3 weeks, new versions of the NextJS-Auth0 software have been released, but Okta’s security people say “unless you make a video abusing this vulnerability, we won’t accept it as a security issue” – LMAO; “Yes, this is a vulnerability, we fixed it in the code, it can be used to handle accounts, but you need shoot a video“. Hilarious. This is another case to add to my list of ridiculous problems related to security issue reporting, which my next post will document.