OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study...
Transcript of OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study...
![Page 1: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/1.jpg)
OAuth User Profile Attack
Ronghai Yang, Prof. Wing Cheong Lau and Tianyu Liu
The Chinese University of Hong Kong Nov 4, 2016
How to Sign into One Billion Mobile App Accounts Effortlessly
![Page 2: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/2.jpg)
Outline
• Background of OAuth2.0
✤ Unwell-defined protocol for mobile platforms
• User Profile Vulnerability
• Exploit
✤ Challenges & Tricks
✤ Case study
• Corresponding Remedies
2
![Page 3: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/3.jpg)
What is OAuth2.0?
3
![Page 4: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/4.jpg)
Three Parties in OAuth2.0
User Identity Provider (IdP) Relying Party (RP)
4
Goal: The user can log into the RP via the IdP
![Page 5: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/5.jpg)
Basic Interactions among User, RP and IdP
5
RP server User IdP serverWho are you? Tell IMDB my identity
This is your identity proofThis is my identity proof
Welcome, Ronghai!
• Such an identity proof is “access token (AT)” in OAuth2.0. • OAuth2.0 supports two types of mode: authorization
code flow & implicit flow
![Page 6: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/6.jpg)
OAuth2.0 Protocol Flow for Mobile: Implicit Flow
6
RP server User device IdP server
auth reqRP App
IdP App
![Page 7: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/7.jpg)
OAuth2.0 Protocol Flow for Mobile: Implicit Flow
7
RP server User device IdP server
auth reqRP App
IdP App
authentication& authorization
![Page 8: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/8.jpg)
OAuth2.0 Protocol Flow for Mobile: Implicit Flow
8
RP server User device IdP server
auth reqRP App
IdP App
authentication& authorization
![Page 9: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/9.jpg)
OAuth2.0 Protocol Flow for Mobile: Implicit Flow
9
RP server User device IdP server
auth reqRP App
IdP App
authentication& authorization
AT + user infoAT + user infoAT + user info
{"token_type":"Bearer","expires_in":7104,“id”: “100008512695261”"access_token":"CAABzj3PSN8C6OELrcr44hSlITO6…”}
![Page 10: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/10.jpg)
OAuth2.0 Protocol Flow for Mobile: Implicit Flow
10
RP server User device IdP server
API request for user info: access token
auth reqRP App
IdP App
authentication& authorization
AT + user infoAT + user infoAT + user info
https://graph.facebook.com/me?access_token=CAABzj3PSNiUBAF9MQrrNHwoZ...
![Page 11: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/11.jpg)
OAuth2.0 Protocol Flow for Mobile: Implicit Flow
11
RP server User device IdP server
API request for user info: access tokenUser profile information
auth reqRP App
IdP App
authentication& authorization
AT + user infoAT + user infoAT + user info
{"id": "100008512695261","birthday": "02/01/1991","email": ”[email protected]","first_name": ”Ronghai","gender": "male","last_name": ”Yang","link": "https://www.facebook.com/profile.php?id=100..1",“name”: ”Ronghai Yang",
}
![Page 12: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/12.jpg)
Unwell-defined Portions of Protocol Call-flow
12
• Neither RFC nor IdPs provides the complete call-flow
✤ How to communicate between RP app and IdP app: the browser splits into two apps
✤ How to process identity proof: server-to-server verification
![Page 13: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/13.jpg)
Common Mistake 1 Android Account Manager
• Centralized database to store user accounts
• INSERT INTO “accounts” VALUES (1,’[email protected]’,’com.google’,’password’,NULL)
• Integrated into OAuth2.0 when using Google as the IdP
13
![Page 14: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/14.jpg)
Common Mistake 1 Android Account Manager
14
RP server IdP serverAuth request
RP App IdP App
Account Infouser email
Token request Authentication & Authorization
• Two steps to obtain the access token
✤ Auth request: getAccounts()
✤ Token request: GoogleAuthUtil.getToken()
• Step 2 is often missing by RP developers
![Page 15: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/15.jpg)
Common Mistake 2 RP App Fails to Return AT
15
RP server IdP serverRP App IdP App
AT + user infouser info
AT + user info
• The RP app does not return AT to the RP server • The RP server only depends on user info to
identify the user
![Page 16: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/16.jpg)
Common Mistake 3 Fail to Verify Signature of Signed id_token (OpenID Connect)
16
RP server IdP serverRP App IdP App
AT + id_tokenAT + id_tokenAT + {id_token}
{ “uid”:1001, “email”:ronghai@xxx, “app”:imdb, …}
• id_token ✤ includes user profile information ✤ signed by IdP server
• The signature can be incorrectly verified, e.g., not verify the signature at all
Not verify signature
![Page 17: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/17.jpg)
The Platform to Exploit the Vulnerability
17
RP server IdP server
1. AT+ user info
3. AT + user info
5. AT + user info
attacker device
MITM Proxy
Domain under the attacker’s control
2. AT +
user info
4. AT +
user info
RP app IdP app
![Page 18: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/18.jpg)
Tamper the message between RP app and RP server• Challenges
1. proprietary message exchanges
2. digital signature/ encryption, in addition to HTTPS
3. no scalable
18
• Tamper messages between IdP app and IdP server
1. messages tampered on the IdP side will be propagated to the RP side
![Page 19: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/19.jpg)
Trick 1: Naive way to tamper messages between the IdP app and IdP server
• The IdP app does not adopt any practice to avoid MITM proxy
19
![Page 20: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/20.jpg)
Trick 2: Use WebView to bypass certificate pinning• Certificate pinning
✤ The IdP app only accepts the certificate from the true IdP server
• Uninstall IdP app to downgrade WebView scheme
20
![Page 21: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/21.jpg)
Trick 3: Modify IdP app to remove certificate pinning
• Some IdPs do NOT support WebView
• Existing tools do not work
✤ SSLUnpinning
• Reverse engineering
✤ Remove certificate pinning function
✤ Repackage
21
![Page 22: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/22.jpg)
Trick 4: Modify RP app to remove the certificate comparison by SDK
• RP app checks whether IdP app is legitimate
✤ The SDK hard-code the certificate of true IdP app.
✤ IdP app is re-signed
• Modify RP app
✤ scalable: modify the same function
22
![Page 23: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/23.jpg)
Demonstration Attacking Answers App
23
Step 1: The attacker, Eve, uses her own Google account to log into Answers
![Page 24: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/24.jpg)
Demonstration Attacking Answers App
Access Token
24
Step 2_a: The attacker setups MITMProxy
• The access token is bound to the attacker’s Google account
![Page 25: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/25.jpg)
Demonstration Attacking Answers App
25
Answers app uses access token to retrieve user data
The unique user id of Eve in Google+
Step 2_b: The attacker intercepts the user-profile request via proxy
![Page 26: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/26.jpg)
Demonstration Attacking Answers App
26
Step 3_a: The attacker searches the public user profile of the victim, Alice.
Step 3_b: The attacker obtains Alice’s user id via URL.
![Page 27: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/27.jpg)
Demonstration Attacking Answers App
27
Step 4: The attacker substitutes her own user id with the victim’s one
The victim’s uid
![Page 28: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/28.jpg)
Demonstration Attacking Answers App
28
The attacker logins as the victim, Alice
• Only require the public victim profile • The attack can be remotely/ silently launched
![Page 29: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/29.jpg)
Empirical Evaluation
29
IdPs# of Top Apps tested
(overall + per category)
# of Apps Support OAuth2.0
# of Vulnerable Apps
Facebook 400 (300+100) 59 9 (15%)
Google 400 (300+100) 40 8 (20%)
Sina 200 (100+100) 83 58 (70%)
Summary 1000 182 75 (41%)
• Facebook/ Google from Google Play ✤ Top-300 Apps in overall category ✤ Top-100 Apps in different categories
• Sina from one major Chinese app store ✤ Top-100 Apps in overall and different categories
![Page 30: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/30.jpg)
A Partial List of Vulnerable Android Mobile Apps
30
![Page 31: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/31.jpg)
A Partial List of Vulnerable Android Mobile Apps
31
• The total number of downloads for this incomplete list of Android apps exceeds 2.4 billion.
• Based on the SSO-user-adoption-rate of 51%, one conservative estimate is that more than one billion of different types of app accounts are susceptible.
• Such an attack is also feasible to iOS
✤ iOS RP apps adopt the same protocol call-flow
![Page 32: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/32.jpg)
Responsible Disclosure
• We reported this issue to all three IdPs on April 2016
• Receive their acknowledgements in different ways
✤ Maximum bounty reward from Sina
✤ Sina sent a notification letter to all its third-party app developers
• Based on our incomplete sampling very recently, most of RPs are still vulnerable
32
![Page 33: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/33.jpg)
Suggested Remedies1. For IdPs:
✤ Provide more clear, and more security-focused guidelines
✤ Issue private per-app user-id
❖ Facebook has adopted this practice since May 2014, but due to the backward compatibility reason, old users are still vulnerable.
✤ More security testing/ auditing on the RP app
❖ We have developed an OAuthTester tool for large-scale testing
2. For RPs: Never trust client-side information
3. Follow the best practices in draft-ietf-oauth-native-apps-05
33
![Page 34: OAuth User Profile Attack - Black Hat · PDF fileOAuth User Profile Attack ... Case study • Corresponding Remedies 2. ... Domain under the attacker’s control T + T +](https://reader034.fdocuments.net/reader034/viewer/2022051721/5a79f0827f8b9a3f618b813c/html5/thumbnails/34.jpg)
34
Thanks and Q&A
Wing Cheong Lau www.ie.cuhk.edu.hk/~wclau/
Ronghai Yang http://personal.ie.cuhk.edu.hk/~yr013/