A security researcher has discovered that by manipulating the OAuth protocol flow, single-click account hijacking is achievable.
A system for managing identities and securing online spaces across third-party services is called OAuth, often known as Open Authentication. For instance, service providers can use OAuth to deliver transient and secure access tokens rather than relying on an account login and password combination.
Attackers may, however, take advantage of OAuth implementations in some circumstances to steal these tokens and carry out one-click account hijacking.
On July 6, Frans Rosén, Detectify’s security advisor, took us through a number of potential attack channels and ways that businesses can reduce the danger of compromise.
These situations are referred to by Rosén as “dirty dancing.”
By combining response-type switching, invalid states, and redirect URI programming “quirks,” attackers can take advantage of OAuth’s “dances,” or its authentication procedures and the way it controls communication between a browser and service provider, to steal user data like authorization codes or tokens.
Cross-site scripting (XSS) attacks and cross-origin referer leaks have been major concerns for browser developers in recent years, notably Google and Mozilla.
However, these attacks are still frequent and a concern to consumers everywhere, as noted in MITRE’s most recent 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list, which was made public at the end of June.
Abusing the sign-in flow
Content Security Policy (CSP) and Trusted Types, which enable the programme to reject data values that could result in DOM XSS and credential hijacking, are two measures adopted by browsers to lessen the danger of these attacks.
The sign-in process for OAuth, which is used by businesses like Slack, Facebook, and Twitter, can, according to the study, possibly be “broken” for the same effect.
It should be remembered that these kinds of assaults are difficult to carry out and, as Rosén notes, need a “grind” that involves looking at source code and understanding how OAuth’s dances operate.
Breaking the chain
An attacker must first dismantle the link between the system that issues tokens and the service provider that uses them in order to steal tokens.
To do this, a specially constructed link is provided to a potential victim as a sign-in page and that uses the attacker’s valid state to change the state-value in use.
The “dance” ends after a victim log in and is routed back to a website because the user no longer has a valid state. The user will then see an error message, and the researcher claims that if the threat actor is able to obtain data and URLs from the error page, they “may now sign in using their own state and the code obtained from the error page.”
Additionally, although modifying these paths is challenging, it is feasible to employ response-type, response-mode switching, and redirect-uri path abuse to break connections and produce unexpected behaviour.
“In a correct OAuth-dance utilising code,” says Rosén, “the redirect uri must also be submitted for validation to the service provider at the penultimate stage to get the access token from the service provider.”
No access token will be granted if the redirect uri used in the dance does not match the value that the website submits to the provider.
The researcher experimented with several attack strategies and succeeded in one-click hijacking. On May 12, one Apple OAuth sign-in exploit was reported.
In order to undermine OAuth and seize leaking URLs, attackers can also take advantage of other idiosyncrasies. These include utilising APIs designed for obtaining URLs improperly and launching an XSS attack against the third-party domain receiving URL data during authentication. For instance, domains with insufficient origin checks may be vulnerable to abuse.
According to Rosén, “it becomes pretty challenging for a website to address all potential instances due to the fact that each OAuth provider allows so many varied response kinds and modes.”
The researcher advises reading the OAuth 2.0 Security Best Current Practice guide, ensuring that pages rendered for OAuth’s authorization response do not contain third-party resources or links, and users should also think about only allowing limited OAuth response-types and modes. All of these actions will help reduce the risk of attack.
Even though you might not be using any vulnerable third-party scripts right now, Rosén advised, “You can avoid any future potential token leakage if somebody in your business brings something new using Google Tag Manager or equivalent, or if the third-party scripts change.”