Science & Technology

Detectify Security Advisor describes an account hijacking attack scenario with anomalous OAuth flow.

TL / DR: OAuth users are asked to review the sign-in flow of third-party scripts, including error flows, that may be exposed to newly discovered attack scenarios. Through a series of attacks, misconfigurations can allow single-click account hijacking.

The attacks required to hijack a single-click account like this are complex, but research According to Detectify security advisor Frans Rosén, some of the world’s most popular consumer and business websites are currently vulnerable to attack chains because they don’t comply with OAuth specification best practices. understood.

Rosén recently conducted an extensive investigation into how OAuth tokens can be stolen. Combining response type switching, invalid states, redirect uri quirks with OAuth, and third-party JavaScript inclusions, he actually discovered three vulnerable scenarios.

1: Weak or no origin-check postMessage-listeners leaking URLs

2: Cross-site scripting in sandbox / third party domain to get URL

3: Fetch out-of-range URLs using API

About OAuth

OAuth open specs allow single sign-on to websites by allowing users to authenticate using third-party credentials. Think of “Sign in with Google / Apple / Facebook, etc.” on a third-party website. All of these third-party service providers use OAuth to issue some form of code or access token to verify a user’s identity. Although OAuth is widely used throughout the web, there have been numerous security vulnerabilities over the last decade, including recent GitHub breaches using stolen OAuth tokens.

Why this new study is important

Despite the security challenges of OAuth, it’s still a powerful specification for developers and product owners, generally not only enabling secure delegation of access, but also improving the user experience. As a result, the use of the OAuth framework is undeniably increasing not only for consumer sites for end-user access, but also for enterprise scenarios of internal access architectures for critical business-related platforms.

As enterprise adoption of OAuth grows, the three vulnerable scenarios described by Rosén reveal the inherent risks of highly targeted one-click account hijacking scenarios for spear phishing or supply chain attacks. ..

The OAuth specification states that third-party scripts should not be run anywhere in the login flow, but the main guidance is now grouped into seemingly irrelevant and less threatening sections. Specifications can easily be misunderstood or overlooked.

What should organizations using OAuth do to mitigate this risk?

First and foremost, you need to know what kind of page is used in your OAuth flow. This includes error and exception pages that can be triggered if any of the sign-in flow parameters are incorrect or missing.

Next, the organization needs to make sure that the above page does not use third-party scripts. During this investigation, Rosén actually discovered various types of third-party scripts that could leak URLs such as:

  • Chatbot widget
  • Analytical pixels
  • Capture service

Responsible Disclosure

Rosén reported several cases identified in his study and currently in a responsible disclosure process. He also provided a draft of the research post before publishing it to the IETF’s “OAuth 2.0 Security Best Practices” draft working group.

Detectify Security Advisor describes an account hijacking attack scenario with anomalous OAuth flow. Detectify Security Advisor describes an account hijacking attack scenario with anomalous OAuth flow.

Back to top button