Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

OAuth 2.0 Vulnerability Leads to Account Takeover

A vulnerability in OAuth 2.0 could result in an attacker being able to sign into a victim’s mobile app account and take control of it, security researchers have discovered.

A vulnerability in OAuth 2.0 could result in an attacker being able to sign into a victim’s mobile app account and take control of it, security researchers have discovered.

In a recently published research paper (PDF) that was also detailed at the Black Hat Europe security conference, three researchers from the Chinese University of Hong Kong demonstrate the prevalence and severe impact of the vulnerability. According to researchers, 41.21% of the 600 top-ranked Android apps that use the OAuth2.0-based authentication service from Facebook, Google, and Sina, are vulnerable.

Because of the widespread use of OAuth 2.0-based Single-Sign-On (SSO) services for 3rd party websites, the security researchers say, major Identity Providers (IdPs) such as Facebook, Google, and Sina, have adapted OAuth 2.0 to support SSO for 3rd-party mobile apps on their social-media platforms. However, because of differences in system environments, “the original OAuth 2.0 protocol becomes under-specified.”

Specifically, IdPs have developed home-brewed extensions of OAuth2.0-based Application Programming Interface (API) to support SSO of 3rd-party mobile apps in their platforms, but the operational requirements of such adaptations aren’t always documented or taken into consideration.

The authentication process is complicated, relying on the interaction between the 3rd-party (client-side) mobile app, the client-side IdP app, the 3rd-party app’s backend server, and the IdP server. The issue emerges when the data that the mobile app server receives from the other involved entities isn’t properly validated.

“The root cause of this vulnerability is a common, but misplaced trust in the authenticating information received by the 3rd party app’s backend server from its own client-side mobile app, which in turn, relies on potentially tampered information obtained from the client-side mobile app of the IdP,” the security researchers explain.

To demonstrate the security flaw, the researchers created a remote exploit that allows an attacker to sign into a victim’s mobile app account via OAuth 2.0 without requiring interaction from the victim. The researchers demonstrated the attack on the Android operating system, but they explain that iOS applications are vulnerable as well.

The security researchers also explain that some of the insecure implementations of OAuth2.0 include cases where the backend server doesn’t check if the received user-id is bound to the issued OAuth access token; the mobile app doesn’t verify IdPs’ digital signature of the user identity profile; the mobile app retrieves the user information from the mobile device and passes it to the backend server as identity proof.

While analyzing mobile applications that use OAuth 2.0, the researchers discovered that 41.21% of them are vulnerable, and say that they put over a billion users at risk. Impacted programs include apps for travel planning, hotel booking, chatting, dating, finances, downloading, shopping, and browsing, though media players are also affected. The total number of downloads of vulnerable apps already exceeds 2.4 billion.

“After signing into the victim’s vulnerable mobile app account using our exploit, the attacker will have, in many cases, full access to the victim’s sensitive and private information which is hosted by the backend server(s) of the vulnerable mobile app. For some of these mobile applications, the online-currency/ service credits associated with the victim’s account are also at the disposal of the attacker,” the researchers say.

The researchers suggest that IdPs should provide 3rd-party application developers with clearer and more security-focused usage guidelines for their OAuth 2.0-based SSO APIs. Backend server of a mobile app should trust only information exchanged with the IdP server directly; IdPs should issue private user identifier on a per-mobile-app basis; and IdPs should conduct or insist on more thorough security testing of 3rd party mobile apps, the researchers also say.

Related: Google to Revoke OAuth 2.0 Tokens Upon Password Reset

Related: Enterprises Warned About Risky Connected Third-Party Apps

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.