How to Hack OAuth

Or how OAuth can or has been breached.

Notes from a BSidesPDX talk by: @aaronpk

Includes cute kitties!

Vulnerabilities which have solutions⌗

Well written descriptions⌗

• RFC 6749 Section 10
• RFC 8252 Section 8
• RFC 6819

Actual vulnerabilities⌗

Twitter leaked their own secret API keys via embedding in the mobile app. Fix: RFC-7636

Generate a Hash of the secret which can be passed along with the confirmation request to the OAuth API to fix.

JWT⌗

3 Parts: . separated: Header, Payload, Signature.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ. SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

alg: "none"….. does not end well. Some webservices simply granted access if alg: "none", defaults were fixed in most web frameworks, but it remains a threat to consider. Modify params, and then set your scopes.

"alg": "HS256": Use shared secret… which can be compromised.

Just because something is complicated, does not mean someone thought it through.

Never trust JWT libraries to pick the algorithm used, this will probably result in a vulnerability.

Stolen access Tokens(FB 50 million accounts)⌗

3 bugs which opened up the door.

1. View As privacy feature; incorrectly allowed ability to post videos.
2. New video poster incorrectly generated access tokens that had permissions of the Facebook mobile App(everything).
3. Using View As; access token generated was for as the Viewer, thus promoting the Access Token of the ‘View As’ user’s Mobile App token.

Treat components of your application the same way you'd treat a third-part application

Google Phishing Attack 2017⌗

Devious means to generate a real Google OAuth flow, using the standard OAuth UI. A malicious account created an account which due to UI design appeared to be a legitimate Google Drive folder share request. However it actually requested access to Gmail+Contacts which enabled it to spread rapidly across Google’s user-base.

Abuse of Google’s Auth flow. Consent screen didn’t inform users that they were allowing a random person to get an auth token authorization to their account. UIs need to clearly show who is requesting access to one’s resources.

Authorization interfaces UI are important to design well, and clearly show who/what is being authorized.