Security researcher's OAuth bug fix for Okta's nextjs-auth0 misattributed to AI-generated fake author; Okta employee used AI to rebase commit in October, replacing contributor's name with hallucinated identity, then AI-generated apology.

AI slop security engineering: Okta’s nextjs-0auth troubles

In October, I reported two security issues to Okta’s auth0/nextjs-auth0 project, here and here. The latter bug, an oauth parameter injection, allows for a range of types of abuse, like scoping tokens for unintended services, setting redirect_uri and scope to arbitrary values to leak tokens, and so on. The patch was simple enough, so I opened a PR: diff --git a/src/server/helpers/with-page-auth-required.ts b/src/server/helpers/with-page-auth-required.ts index 41af2dfe..f07046b8 100644 --- a/src/s...