Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

OAuth 2.0 Vulnerability Leads to Account Takeover

A vulnerability in OAuth 2.0 could result in an attacker being able to sign into a victim’s mobile app account and take control of it, security researchers have discovered.

A vulnerability in OAuth 2.0 could result in an attacker being able to sign into a victim’s mobile app account and take control of it, security researchers have discovered.

In a recently published research paper (PDF) that was also detailed at the Black Hat Europe security conference, three researchers from the Chinese University of Hong Kong demonstrate the prevalence and severe impact of the vulnerability. According to researchers, 41.21% of the 600 top-ranked Android apps that use the OAuth2.0-based authentication service from Facebook, Google, and Sina, are vulnerable.

Because of the widespread use of OAuth 2.0-based Single-Sign-On (SSO) services for 3rd party websites, the security researchers say, major Identity Providers (IdPs) such as Facebook, Google, and Sina, have adapted OAuth 2.0 to support SSO for 3rd-party mobile apps on their social-media platforms. However, because of differences in system environments, “the original OAuth 2.0 protocol becomes under-specified.”

Specifically, IdPs have developed home-brewed extensions of OAuth2.0-based Application Programming Interface (API) to support SSO of 3rd-party mobile apps in their platforms, but the operational requirements of such adaptations aren’t always documented or taken into consideration.

The authentication process is complicated, relying on the interaction between the 3rd-party (client-side) mobile app, the client-side IdP app, the 3rd-party app’s backend server, and the IdP server. The issue emerges when the data that the mobile app server receives from the other involved entities isn’t properly validated.

“The root cause of this vulnerability is a common, but misplaced trust in the authenticating information received by the 3rd party app’s backend server from its own client-side mobile app, which in turn, relies on potentially tampered information obtained from the client-side mobile app of the IdP,” the security researchers explain.

To demonstrate the security flaw, the researchers created a remote exploit that allows an attacker to sign into a victim’s mobile app account via OAuth 2.0 without requiring interaction from the victim. The researchers demonstrated the attack on the Android operating system, but they explain that iOS applications are vulnerable as well.

The security researchers also explain that some of the insecure implementations of OAuth2.0 include cases where the backend server doesn’t check if the received user-id is bound to the issued OAuth access token; the mobile app doesn’t verify IdPs’ digital signature of the user identity profile; the mobile app retrieves the user information from the mobile device and passes it to the backend server as identity proof.

Advertisement. Scroll to continue reading.

While analyzing mobile applications that use OAuth 2.0, the researchers discovered that 41.21% of them are vulnerable, and say that they put over a billion users at risk. Impacted programs include apps for travel planning, hotel booking, chatting, dating, finances, downloading, shopping, and browsing, though media players are also affected. The total number of downloads of vulnerable apps already exceeds 2.4 billion.

“After signing into the victim’s vulnerable mobile app account using our exploit, the attacker will have, in many cases, full access to the victim’s sensitive and private information which is hosted by the backend server(s) of the vulnerable mobile app. For some of these mobile applications, the online-currency/ service credits associated with the victim’s account are also at the disposal of the attacker,” the researchers say.

The researchers suggest that IdPs should provide 3rd-party application developers with clearer and more security-focused usage guidelines for their OAuth 2.0-based SSO APIs. Backend server of a mobile app should trust only information exchanged with the IdP server directly; IdPs should issue private user identifier on a per-mobile-app basis; and IdPs should conduct or insist on more thorough security testing of 3rd party mobile apps, the researchers also say.

Related: Google to Revoke OAuth 2.0 Tokens Upon Password Reset

Related: Enterprises Warned About Risky Connected Third-Party Apps

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.