A vulnerability in OAuth 2.0 could result in an attacker being able to sign into a victim’s mobile app account and take control of it, security researchers have discovered.
In a recently published research paper (PDF) that was also detailed at the Black Hat Europe security conference, three researchers from the Chinese University of Hong Kong demonstrate the prevalence and severe impact of the vulnerability. According to researchers, 41.21% of the 600 top-ranked Android apps that use the OAuth2.0-based authentication service from Facebook, Google, and Sina, are vulnerable.
Because of the widespread use of OAuth 2.0-based Single-Sign-On (SSO) services for 3rd party websites, the security researchers say, major Identity Providers (IdPs) such as Facebook, Google, and Sina, have adapted OAuth 2.0 to support SSO for 3rd-party mobile apps on their social-media platforms. However, because of differences in system environments, “the original OAuth 2.0 protocol becomes under-specified.”
Specifically, IdPs have developed home-brewed extensions of OAuth2.0-based Application Programming Interface (API) to support SSO of 3rd-party mobile apps in their platforms, but the operational requirements of such adaptations aren’t always documented or taken into consideration.
The authentication process is complicated, relying on the interaction between the 3rd-party (client-side) mobile app, the client-side IdP app, the 3rd-party app’s backend server, and the IdP server. The issue emerges when the data that the mobile app server receives from the other involved entities isn’t properly validated.
“The root cause of this vulnerability is a common, but misplaced trust in the authenticating information received by the 3rd party app’s backend server from its own client-side mobile app, which in turn, relies on potentially tampered information obtained from the client-side mobile app of the IdP,” the security researchers explain.
To demonstrate the security flaw, the researchers created a remote exploit that allows an attacker to sign into a victim’s mobile app account via OAuth 2.0 without requiring interaction from the victim. The researchers demonstrated the attack on the Android operating system, but they explain that iOS applications are vulnerable as well.
The security researchers also explain that some of the insecure implementations of OAuth2.0 include cases where the backend server doesn’t check if the received user-id is bound to the issued OAuth access token; the mobile app doesn’t verify IdPs’ digital signature of the user identity profile; the mobile app retrieves the user information from the mobile device and passes it to the backend server as identity proof.
While analyzing mobile applications that use OAuth 2.0, the researchers discovered that 41.21% of them are vulnerable, and say that they put over a billion users at risk. Impacted programs include apps for travel planning, hotel booking, chatting, dating, finances, downloading, shopping, and browsing, though media players are also affected. The total number of downloads of vulnerable apps already exceeds 2.4 billion.
“After signing into the victim’s vulnerable mobile app account using our exploit, the attacker will have, in many cases, full access to the victim’s sensitive and private information which is hosted by the backend server(s) of the vulnerable mobile app. For some of these mobile applications, the online-currency/ service credits associated with the victim’s account are also at the disposal of the attacker,” the researchers say.
The researchers suggest that IdPs should provide 3rd-party application developers with clearer and more security-focused usage guidelines for their OAuth 2.0-based SSO APIs. Backend server of a mobile app should trust only information exchanged with the IdP server directly; IdPs should issue private user identifier on a per-mobile-app basis; and IdPs should conduct or insist on more thorough security testing of 3rd party mobile apps, the researchers also say.