OAuth2.0 implementation flaw allows attackers to pop Android users’ accounts
Incorrect OAuth2.0 implementation by third party mobile app developers has opened users of those apps to account compromise, three researchers from the Chinese University of Hong Kong have discovered.
The exploit
The flaw can be exploited remotely, with no involvement and/or awareness of the victim.
The attacker has to set up an ssl-enabled-MITM proxy for his device and a vulnerable third party app on his device.
When he goes to sign into the mobile app in question with OAuth (using his own Identity Provider login name and password), he captures the OAuth message destined for the app’s servers, and substitutes his user-id with that of his victim, then sends it on to the servers.
“The victim’s user-id is either a publicly available information (available from the victim’s public web page for the case of Google+ and Sina users) or easily guessable (in the case where the app use user-email- address as the user name),” the researchers explained.
“Since the third-party backend server directly uses the user’s identity proof returned from its client-side app to identify the app user WITHOUT further validation, the attacker can therefore successfully sign into the app as the victim and in most cases have full access to the victim’s sensitive information hosted by the third-party app’s backend server.”
They have tested the exploit against 600 top-ranked US and Chinese Android apps that use the OAuth2.0-based authentication service provided by Facebook, Google or Sina, and discovered that, on average, 41.21% of these apps are vulnerable.
They have not named the vulnerable apps, but depending on their nature, an attacker could gain access to victims’ private and sensitive info (travel itineraries, dating history, browsing history, personal income, etc.), as well as send forged messages, purchase gifts, pay for room bookings, and so on.
Remediation
Facebook, Google and Sina have been appraised of the problem, and they acknowledged it.
Sina already updated the Single-Sign-On section of its programming guide for third party developers, and notified all of them directly so that they could make the necessary changes. Google and Facebook said that they would do the same.
The researchers also hope that Identity Providers will perform more thorough security testing of third party mobile apps in the future, and will switch to private user identifiers that can’t be easily guessed by attackers.
“In fact, such a practice has been adopted by Facebook since May 2014,” they noted. “However, Facebook still insists on the global user identifier if the user started using the mobile app before May 2014. As such, the attack is still applicable to the early users of a vulnerable app.”