Three researchers from the University of Hong Kong have determined that third-party applications that allow for single sign-on processes via Facebook and Google by supporting the OAuth 2.0 protocol are exposed to account hijacking.
Earlier this month, three Chinese researchers from the University of Hong Kong presented a paper at Black Hat EU, describing an attack that takes advantage of weak OAuth2.0 implementations. The paper, called “Signing into One Billion Mobile App Accounts Effortlessly with OAuth 2.0” is exactly as damning as described, ostensibly putting one billion apps vulnerable to account hijacking.
As reported by ThreatPost, the researchers combed through 600 of the top apps that use OAuth 2.0 APIs from Facebook, Google and Weibo-operator Sina, in the United States and in China. Altogether, the researchers discovered that 41.2 percent of the apps they tested were vulnerable to their attack. These apps include popular chat, hotel booking, dating, travel, shopping, finance and music applications. While the researchers detailed the many categories of apps impacted, no application was mentioned by name.
It is notable, however, that some of these apps are among the most popular in the world, with hundreds of millions of downloads between them. By aggregate, the apps tested by the researchers had been downloaded more than 2.4 billion times, and a little over 40% of those apps mean that over a billion are vulnerable.
Researchers Ronghai Yang, Wing Cheong Lau and Tianyu Liu wrote:
After signing into the victim’s vulnerable mobile app account using our exploit, the attacker will have, in many cases, full access to the victim’s sensitive and private information (chat logs, photos, contact lists) which is hosted by the backend server(s) of the vulnerable mobile app.
“For some of these mobile applications, the online-currency/ service credits associated with the victim’s account are also at the disposal of the attacker,” the researchers added, underlining the severity of the vulnerabilities.
With OAuth 2.0 not defining specific security requirements nor detailing how its backend should interact with third party apps securely, a number of customized API extensions were developed to support a single sign-on (SSO) process.
The attack makes use of an attacker-owned SSL man-in-the-middle proxy that triggers after being set up for the attacker’s device. With the proxy monitoring traffic – both inbound and outbound – from the attacker’s device, the attacker would then be able to sign in, using OAuth 2.0, with their own credentials on a vulnerable third party app on their device.
Ultimately, the paper recommends Facebook, Google and Sina, the three primary identity providers, to improve their security recommendations and requirements for developers. Putting the trust solely on the identity provider’s servers rather than anything signed by a client-side application is crucial, they suggest.
Image credit: Pexels.
