We were not verifying the access token's issuer to be the RTA previously, so any valid token would allow the extension to be launched, and a webtask token would be leaked into the page.
We pushed this extension to our testing tenant manually. We were still able to log in as usual from the dashboard. We crafted a token according to the linked security ticket, and when posting it to /callback, we now get an error message saying that the issuer is invalid.
✏️ Changes
We were not verifying the access token's issuer to be the RTA previously, so any valid token would allow the extension to be launched, and a webtask token would be leaked into the page.
🔗 References
https://auth0team.atlassian.net/browse/SEC-530
🎯 Testing
/callback, we now get an error message saying that the issuer is invalid.