November 16, 2016 by

A Billion Mobile Apps are Vulnerable to Account Hijacking

Three researchers from the University of Hong Kong have determined that third-party applications that allow for single sign-on processes via Facebook and Google by supporting the OAuth 2.0 protocol are exposed to account hijacking.

Earlier this month, three Chinese researchers from the University of Hong Kong presented a paper at Black Hat EU, describing an attack that takes advantage of weak OAuth2.0 implementations. The paper, called “Signing into One Billion Mobile App Accounts Effortlessly with OAuth 2.0” is exactly as damning as described, ostensibly putting one billion apps vulnerable to account hijacking.

As reported by ThreatPost, the researchers combed through 600 of the top apps that use OAuth 2.0 APIs from Facebook, Google and Weibo-operator Sina, in the United States and  in China. Altogether, the researchers discovered that 41.2 percent of the apps they tested were vulnerable to their attack. These apps include popular chat, hotel booking, dating, travel, shopping, finance and music applications. While the researchers detailed the many categories of apps impacted, no application was mentioned by name.

It is notable, however, that some of these apps are among the most popular in the world, with hundreds of millions of downloads between them. By aggregate, the apps tested by the researchers had been downloaded more than 2.4 billion times, and a little over 40% of those apps mean that over a billion are vulnerable.

Researchers Ronghai Yang, Wing Cheong Lau and Tianyu Liu wrote:

After signing into the victim’s vulnerable mobile app account using our exploit, the attacker will have, in many cases, full access to the victim’s sensitive and private information (chat logs, photos, contact lists) which is hosted by the backend server(s) of the vulnerable mobile app.

“For some of these mobile applications, the online-currency/ service credits associated with the victim’s account are also at the disposal of the attacker,” the researchers added, underlining the severity of the vulnerabilities.

With OAuth 2.0 not defining specific security requirements nor detailing how its backend should interact with third party apps securely, a number of customized API extensions were developed to support a single sign-on (SSO) process.

The attack makes use of an attacker-owned SSL man-in-the-middle proxy that triggers after being set up for the attacker’s device. With the proxy monitoring traffic – both inbound and outbound – from the attacker’s device, the attacker would then be able to sign in, using OAuth 2.0, with their own credentials on a vulnerable third party app on their device.

Ultimately, the paper recommends Facebook, Google and Sina, the three primary identity providers, to improve their security recommendations and requirements for developers. Putting the trust solely on the identity provider’s servers rather than anything signed by a client-side application is crucial, they suggest.

Image credit: Pexels.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

Banking Malware Spin-Off Targets Twitter, Facebook Accounts

A sophisticated strain of malware based on the Zeus trojan has been discovered monitoring and...

Read more arrow_forward

Google Research: Phishing Poses the Greatest Cybersecurity Threat

A new study by Google has revealed insights to better explain how emails and other accounts are...

Read more arrow_forward

Google Plans 2FA Upgrade with Hardware Replacements

Google is reportedly close to rolling out a new hardware-based replacement solution as an upgrade...

Read more arrow_forward