November 17, 2016 by

OAuth 2.0 Claims it is Still Secure, “If Used Properly”

In the aftermath of the revelation that a billion mobile apps could be hijacked through a vulnerability in OAuth 2.0 – as discovered by three Chinese researchers from the University of Hong Kong – OAuth 2.0 has claimed it is still secure, for non-mobile implementations.

In an email to customers, OAuth 2.0 has unsurprisingly reached out to quell fears about a security compromise of its API, as revealed by Chiense researchers.

In an attempt to reassure customers, the company writes in plain bold text:

IT IS ONLY FOR MOBILE APPS AND ONLY FOR APPS THAT USE THE MOBILE DEVICE’S GLOBAL USER IDENTIFIER TO AUTHENTICATE. 

As an easier way of describing it to customers, OAuth 2.0 states that app developers used the global user identifier as their app’s password with their own servers. “It is not the protocol, but their implementation” that is the cause behind the shoddy security, the company argued.

With an example, the company pointed to SSH (Secure Shell), a network protocol that is, by design, secure. However, if a developer were to hard-code the authentication certificate in clear text, the security would be obsolete.

The company then explained:

The fundamental flaw is that some mobile app developers are lazy and will use the mobile device’s global user identifier instead of issuing their own identification token for their app.  It is completely unrelated to the web-based authentication method used by the original, non-mobile version of OAuth used by Avanan. 

As LIFARS reported yesterday, the researchers assessed 600 of the top apps that used OAuth 2.0 APIs from identity providers Facebook, Google and Chinese-based Sina, the operator of popular platform Weibo. Some of these apps are the most downloaded in the world, with hundreds of millions of downloads in some cases.

Altogether, the apps tested by the researchers had been downloaded over 2.4 billion times. The researchers concluded their testing by revealing that a little over 40% of those apps, were vulnerable. That’s a billion downloads of applications currently on users’ phones and other mobile devices.

Image credit: Pixabay.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

40% of Android Devices at Risk of Screen Hijack Exploit

Security researchers have uncovered a significant flaw in Google’s popular mobile platform...

Read more arrow_forward

A Billion Mobile Apps are Vulnerable to Account Hijacking

Three researchers from the University of Hong Kong have determined that third-party applications...

Read more arrow_forward

Yahoo Data Breach Compromises Half a Billion User Accounts

Yahoo has finally confirmed the results of its investigation of a data breach and it does not make...

Read more arrow_forward