Security Experts:

FireEye Launches OAuth Attack Testing Platform

FireEye on Monday announced the availability of a platform to allow organizations and pentesters check their ability to detect and respond to OAuth abuse attacks.

OAuth 2.0 is a protocol employed by major Internet companies, including Amazon, Google, Facebook, and Microsoft, to facilitate granting third-party applications access to user data. Using social engineering, attackers can trick victims into authorizing a third-party application to access their account, thus gaining access to all of the user's data without the need for credentials.

“In releasing the tool, we hope to increase awareness about this threat, improve the security community’s ability to detect it, and provide countermeasures for defenders,” FireEye’s Doug Bienstock explains.

In an OAuth authorization flow, the third-party application requests a specific type of access to a user’s account, and APIs are used to define such sets of scopes (similar to the permissions apps ask for on mobile devices).

An attacker looking to abuse OAuth can create a malicious application and then retrieve user data with the help of obtained access tokens, via the API Resource. Access tokens don’t require a password and can bypass any two-factor enforcement in place, and access to the OAuth application has to be explicitly revoked to prevent abuse.

An attacker can obtain OAuth tokens via social engineering, by convincing the victim to click a “Consent link” and approve the application. This is exactly what happened last year, when a phishing attack targeting Gmail users spread like a worm and tricked many users into allowing a malicious app named “Google Docs” to access their contact information.

Called PwnAuth, the newly launched web application framework should make it easier for organizations to test their ability to detect and respond to OAuth abuse campaigns.

“The web application provides penetration testers with an easy-to-use UI to manage malicious OAuth applications, store gathered OAuth tokens, and interact with API Resources. The application UI and framework are designed to be easily extendable to other API Resources through the creation of additional modules,” Bienstock notes.

Available on GitHub, the platform comes with a module to support malicious Office 365 applications capable of capturing OAuth tokens and using them to interact with the Microsoft Graph API. However, PwnAuth could be used to target any cloud environment that allows OAuth applications.

The available Office 365 module supports reading the mail messages, searching the user's mailbox, reading the user's contacts, downloading messages and attachments, searching OneDrive and downloading files, and sending messages on behalf of the user.

Using PwnAuth requires creating a Microsoft application first, and then start phishing for potential victims. Once they click on the generated “Authorization URL,” PwnAuth captures OAuth tokens, and these can be used to access their data. More detailed information on the platform’s usage can be found on the GitHub wiki.

Mitigations include training programs on social engineering and taking steps to diminish the impact of malicious OAuth applications by limiting API scopes they can request, disabling third-party apps within the organization, implementing application whitelisting, logging any user consent events, and querying an organization's user base for all consented applications, the researcher says.  

“OAuth abuse attacks are a dangerous and non-traditional phishing technique that attackers can use to gain access to an organization's confidential data. As we move more services to the cloud, organizations should be careful to lock down third-party application access and ensure that their monitoring and detection strategy covers application consent grants. Organizations and security professionals can use PwnAuth to test their ability to detect and respond to this new type of attack,” Bienstock concludes.

Related: Phishing Poses Biggest Threat to Users: Google

Related: Google Takes Second Swing at OAuth Worm

view counter