Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to Hack OAuth - Øredev 2019

Aaron Parecki
November 06, 2019

How to Hack OAuth - Øredev 2019

Video: https://vimeo.com/371495209

OAuth is the foundation of most of modern online security, used everywhere from signing in to mobile apps, to protecting your bank accounts. Despite its ubiquity, it is still often difficult to implement safely and securely, especially in today's landscape, which is dramatically different from the world of online security as it existed when OAuth was initially created.

This talk will explore several real-world OAuth hacks that affected major providers like Twitter, Facebook and Google. I'll share the details of how each specific attack happened, as well as what they could have done to prevent it. Some of these attacks exploited technical flaws in the system, and some exploited the easier to hack, squishier component in the middle: people.

https://oredev.org/sessions/how-to-hack-oauth

https://oauth2simplified.com/

Aaron Parecki

November 06, 2019
Tweet

More Decks by Aaron Parecki

Other Decks in Technology

Transcript

  1. How to Hack OAuth
    AARON PARECKI
    @aaronpk
    aaronpk.com

    View full-size slide

  2. @aaronpk
    Tweet your questions!
    @[email protected]
    Toot your questions!
    aaronpk.com

    View full-size slide

  3. @aaronpk
    Senior Security Architect

    at Okta
    @oktadev

    View full-size slide

  4. @aaronpk
    oauth.net

    View full-size slide

  5. RFC6749
    RFC6750
    CLIENT TYPE
    AUTH METHOD
    GRANT TYPE
    RFC6819
    RFC7009
    RFC7592
    RFC7662
    RFC7636
    RFC7591
    RFC7519
    BUILDING YOUR APPLICATION
    RFC8252
    OIDC
    RFC8414
    STATE PARAM
    TLS
    CSRF
    UMA 2
    FAPI
    RFC7515
    RFC7516
    RFC7517
    RFC7518
    TOKEN BINDING
    POP
    SECURITY BCP
    CIBA
    HTTP SIGNING
    MUTUAL TLS SPA BCP
    JARM
    JAR
    TOKEN EXCHANGE
    DPOP

    View full-size slide

  6. @aaronpk
    THE PASSWORD ANTI-PATTERN

    View full-size slide

  7. @aaronpk
    THE PASSWORD ANTI-PATTERN
    facebook.com ~2010

    View full-size slide

  8. @aaronpk
    so...
    how can I let an app
    access my data
    without giving it my password?

    View full-size slide

  9. @aaronpk
    POST /resource/1/update HTTP/1.1
    Authorization: Bearer RsT5OjbzRn430zqMLgV3Ia
    Host: api.authorization-server.com
    description=Hello+World

    View full-size slide

  10. @aaronpk
    A HOTEL KEY CARD, FOR APPS
    Authorization Server Access Token Resource (API)

    View full-size slide

  11. @aaronpk
    HOW OAUTH WORKS

    View full-size slide

  12. @aaronpk
    ROLES IN OAUTH
    OAuth Server
    (Authorization Server)
    aka the token factory
    API
    (Resource Server)
    The Application
    (Client)
    The User
    (Resource Owner)
    Device
    (User Agent)

    View full-size slide

  13. User: I’d like to use this great app
    App: Please go to the authorization server to grant me access
    User: I’d like to log in to “Yelp”, it wants to access my contacts
    AS: Here is a temporary code the app can use
    App: Here is the temporary code, and my secret, please give me a token
    User: Here is the temporary code, please use this to get a token
    AS: Here is an access token!
    App: Please let me access this user’s data with this access token!
    User Agent
    App OAuth Server
    API
    ?

    View full-size slide

  14. Front Channel
    Back Channel
    https://accounts.google.com/?...
    Passing data via the browser's address bar
    The user, or malicious software,
    can modify the requests and responses
    Sent from client to server
    HTTPS request from client to server,
    so requests cannot be tampered with

    View full-size slide

  15. Back Channel Benefits ‣ The application knows it's
    talking to the right server
    ‣ Connection from app to server
    can't be tampered with
    ‣ Response from the server can
    be trusted because it came
    back in the same connection

    View full-size slide

  16. OAuth Server OAuth Client
    Passing Data via the Back Channel

    View full-size slide

  17. OAuth Server OAuth Client
    Passing Data via the Front Channel

    View full-size slide

  18. Front Channel Benefits
    https://accounts.google.com/?...
    ‣ The user being involved
    enables them to give consent
    ‣ Doesn't require the receiver to
    have a publicly routable IP

    (e.g. can work on a phone)

    View full-size slide

  19. @aaronpk
    THE HACKS

    View full-size slide

  20. @aaronpk
    HOW TO HACK OAUTH
    RFC 6749 Section 10
    RFC 8252 Section 8
    RFC 6819
    draft-ietf-oauth-security-topics

    View full-size slide

  21. @aaronpk
    TWITTER
    STOLEN API KEYS

    View full-size slide

  22. @aaronpk
    2013

    View full-size slide

  23. @aaronpk
    ANYONE CAN 

    IMPERSONATE 

    THE TWITTER APPS

    View full-size slide

  24. @aaronpk
    DON'T PUT SECRETS

    IN NATIVE APPS!
    https://developer.okta.com/blog/2019/01/22/oauth-api-keys-arent-safe-in-mobile-apps

    View full-size slide

  25. @aaronpk
    PKCE
    PROOF-KEY FOR CODE EXCHANGE
    RFC 7636
    (pronounced "pixie")

    View full-size slide

  26. User: I’d like to use this great app
    App: Please go to the authorization server to grant me access, take this hash with you
    User: I’d like to log in to this app, here's the hashed secret it gave me
    AS: Here is a temporary code the app can use
    App: Here's the code, and the plaintext secret, please give me a token
    User: Here is the temporary code, please use this to get a token
    AS: Let me verify the hash of that secret... ok here is an access token!
    App: Please let me access this user’s data with this access token!
    App: Hang on while I generate a new secret and hash it
    User

    Agent
    App OAuth Server
    API
    ?

    View full-size slide

  27. @aaronpk
    AppAuth.io
    iOS / Android / JavaScript

    View full-size slide

  28. @aaronpk
    JWT
    ALG=NONE
    photo by flickr.com/quidox

    View full-size slide

  29. @aaronpk
    2015

    View full-size slide

  30. An Example JWT
    eyJraWQiOiJvQ1JjR3RxVDhRV2tJR0MyVXpmcEZUczVqSkdnM00zSTNOMHgtZDJhSFNNIiwiYW
    xnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULkp3eVRTcTlqNDU0bDNTNmRTM1VTV1hMV
    VpwekdKdWNSd1ZEbFZCNWNIc3cuVVM1V1NGYVFiQllUMC9GM2tjMG8vK1ZUY3VZZzdwVnZqZXZ
    TT3hkUHhCMD0iLCJpc3MiOiJodHRwczovL2Rldi0zOTYzNDMub2t0YXByZXZpZXcuY29tL29hd
    XRoMi9kZWZhdWx0IiwiYXVkIjoiYXBpOi8vZGVmYXVsdCIsImlhdCI6MTU0MzgwMzAyNSwiZXh
    wIjoxNTQzODA2NjI1LCJjaWQiOiIwb2FoenBwM3RjcEZyZmNXSTBoNyIsInVpZCI6IjAwdWkwZ
    mpraWV5TDQ2bWEwMGg3Iiwic2NwIjpbIm9mZmxpbmVfYWNjZXNzIiwicGhvdG8iXSwic3ViIjo
    iaW5xdWlzaXRpdmUtYWxiYXRyb3NzQGV4YW1wbGUuY29tIn0.ncVkzcc6qrFJSXE3-5UsRu_kH
    vbwIMKYL3PFaMwReYTquPAcOQ8t93xF0bxbS8wrP0udCDvk6eYq4VbjoFdD59Yy6ltz0OKQl3-
    g8uFg2RwqTBMOKR0mYtQH0RCr9ORhSsmKolaDDt4TcRX78ZOAyhZ_Qg_UcEoHM4uZikpzBJYpY
    KbCCfbx-6FzYyHuvevSFzURISYpSHv3nbzirkEzKbOv7eZlg1cCYBdUoGuVBskyHxfMxFpoKQU
    3mwIFdlQJR8LZ8hA_5ZdYjjMeSXfjnhlP2rppJiHy1NreGXXcUsUA74V2t_keY44deTrnPgoFO
    Se9IchWqcj6sDMDutC4ag

    View full-size slide

  31. @aaronpk
    JWTS ARE OFTEN USED

    FOR API AUTHENTICATION

    AND AS OAUTH ACCESS TOKENS

    View full-size slide

  32. Attacking a JWT
    {
    "typ": "JWT",
    "alg": "RS256"
    }
    {
    "ver": 1,
    "jti": "AT.JwyTSq9j454l3S6dS3USWXLUZpzGJucRwVDlVB5cHsw.US5WSFaQbBYT0/F3kc0o/+VTcuYg7pVvjevSOxdPxB0=",
    "iss": "https://dev-396343.oktapreview.com/oauth2/default",
    "aud": "api://default",
    "iat": 1543803025,
    "exp": 1543806625,
    "cid": "0oahzpp3tcpFrfcWI0h7",
    "uid": "00ui0fjkieyL46ma00h7",
    "scp": [
    "offline_access",
    "photo"
    ],
    "sub": "[email protected]"
    }
    header
    claims
    signature

    View full-size slide

  33. Attacking a JWT
    {
    "typ": "JWT",
    "alg": "none"
    }
    {
    "ver": 1,
    "jti": "AT.JwyTSq9j454l3S6dS3USWXLUZpzGJucRwVDlVB5cHsw.US5WSFaQbBYT0/F3kc0o/+VTcuYg7pVvjevSOxdPxB0=",
    "iss": "https://dev-396343.oktapreview.com/oauth2/default",
    "aud": "api://default",
    "iat": 1543803025,
    "exp": 1543806625,
    "cid": "0oahzpp3tcpFrfcWI0h7",
    "uid": "00ui0fjkieyL46ma00h7",
    "scp": [
    "offline_access",
    "photo"
    ],
    "sub": "[email protected]"
    }
    header
    claims

    View full-size slide

  34. Attacking a JWT
    {
    "typ": "JWT",
    "alg": "HS256"
    }
    {
    "ver": 1,
    "jti": "AT.JwyTSq9j454l3S6dS3USWXLUZpzGJucRwVDlVB5cHsw.US5WSFaQbBYT0/F3kc0o/+VTcuYg7pVvjevSOxdPxB0=",
    "iss": "https://dev-396343.oktapreview.com/oauth2/default",
    "aud": "api://default",
    "iat": 1543803025,
    "exp": 1543806625,
    "cid": "0oahzpp3tcpFrfcWI0h7",
    "uid": "00ui0fjkieyL46ma00h7",
    "scp": [
    "offline_access",
    "photo"
    ],
    "sub": "[email protected]"
    }
    header
    claims
    signature

    View full-size slide

  35. @aaronpk
    Treat the JWT header as 

    untrusted external information

    View full-size slide

  36. @aaronpk
    Never let the JWT header

    determine your verification mechanism

    View full-size slide

  37. @aaronpk
    Thankfully most JWT libraries

    fixed this in 2015-2016

    View full-size slide

  38. @aaronpk
    GOOGLE
    OAUTH PHISHING

    View full-size slide

  39. @aaronpk
    2017

    View full-size slide

  40. https://accounts.google.com/oauth/authorize?response_type

    View full-size slide

  41. https://arstechnica.com/information-technology/2017/05/dont-trust-oauth-why-the-google-docs-worm-was-so-convincing/

    View full-size slide

  42. https://accounts.google.com/oauth/authorize?response_type

    View full-size slide

  43. https://developers.google.com/terms/api-services-user-data-policy

    View full-size slide

  44. https://developers.google.com/terms/api-services-user-data-policy

    View full-size slide

  45. https://developers.google.com/terms/api-services-user-data-policy

    View full-size slide

  46. https://support.google.com/cloud/answer/9110914

    View full-size slide

  47. https://blog.context.io/context-io-deprecation-notice-ce8b77e6e477

    https://www.voice2biz.com/oauth-2-0-for-google-apis-3rd-party-audit-costs-require-emailmonkey-to-shutdown/

    https://help.ifttt.com/hc/en-us/articles/360020249393-Important-update-about-Gmail-on-IFTTT

    View full-size slide

  48. @aaronpk
    FACEBOOK
    STOLEN ACCESS TOKENS
    improperly issued

    View full-size slide

  49. @aaronpk
    2018

    View full-size slide

  50. @aaronpk
    "The vulnerability was the result of 

    the interaction of three distinct bugs"
    https://newsroom.fb.com/news/2018/09/security-update/
    - Guy Rosen, VP of Product Management, Facebook

    View full-size slide

  51. @aaronpk
    https://newsroom.fb.com/news/2018/09/security-update/
    The vulnerability was the result of the interaction of three distinct bugs:

    View full-size slide

  52. @aaronpk
    https://newsroom.fb.com/news/2018/09/security-update/
    The vulnerability was the result of the interaction of three distinct bugs:

    View full-size slide

  53. @aaronpk
    https://newsroom.fb.com/news/2018/09/security-update/
    The vulnerability was the result of the interaction of three distinct bugs:

    View full-size slide

  54. @aaronpk
    https://newsroom.fb.com/news/2018/09/security-update/
    The vulnerability was the result of the interaction of three distinct bugs:

    View full-size slide

  55. @aaronpk
    https://newsroom.fb.com/news/2018/09/security-update/
    The vulnerability was the result of the interaction of three distinct bugs:

    View full-size slide

  56. @aaronpk
    https://newsroom.fb.com/news/2018/09/security-update/
    The vulnerability was the result of the interaction of three distinct bugs:

    View full-size slide

  57. @aaronpk
    https://newsroom.fb.com/news/2018/09/security-update/
    The vulnerability was the result of the interaction of three distinct bugs:

    View full-size slide

  58. @aaronpk
    https://newsroom.fb.com/news/2018/09/security-update/
    The vulnerability was the result of the interaction of three distinct bugs:

    View full-size slide

  59. @aaronpk
    https://newsroom.fb.com/news/2018/09/security-update/
    The vulnerability was the result of the interaction of three distinct bugs:
    ??!

    View full-size slide

  60. @aaronpk
    By using the "View As" feature to see what your profile looks like to someone else,
    you would end up with an access token belonging to that user,
    which had the permissions of the Facebook mobile app.

    View full-size slide

  61. @aaronpk
    Keep clean security boundaries
    even for internal applications

    View full-size slide

  62. @aaronpk
    Don't let applications pretend

    to be other applications or other users

    View full-size slide

  63. oauth2simplified.com

    View full-size slide

  64. Thank You!
    @aaronpk
    aaronpk.com

    View full-size slide