Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Implementing safe and secure LINE Login

Eebedc2ee7ff95ffb9d9102c6d4a065c?s=47 LINE DevDay 2020
November 27, 2020
Technology
0
460

Implementing safe and secure LINE Login

Onoue Yoshinori
LINE DP Team2 Server Side Software Engineer
https://linedevday.linecorp.com/2020/ja/sessions/7159
https://linedevday.linecorp.com/2020/en/sessions/7159

Eebedc2ee7ff95ffb9d9102c6d4a065c?s=128

LINE DevDay 2020

November 27, 2020
Tweet

More Decks by LINE DevDay 2020

See All by LINE DevDay 2020
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
400
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
1.2k
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
690
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
750
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
480
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
610
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
430
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
560
Eebedc2ee7ff95ffb9d9102c6d4a065c?s=48 line_devday2020
0
810

Other Decks in Technology

See All in Technology
744424a2b6307140bf794ffb00ce5ec1?s=48 yujioshima
1
400
6eb87371ba9a9bb7767af80a5c9f5306?s=48 yhana
0
9.9k
Dc03bf56cb3157b6036f9818593d7e40?s=48 rung
0
1k
6f7b7931d8ce4dc1349767c8b086f355?s=48 keio_smilab
PRO
0
130
413a764e6df9d7f2adbddb0b278ebb7e?s=48 sosai
0
160
B87a5fff1932cdac75745f24a92ba739?s=48 ryusukekimura
0
210
D8d463da5ab4a99265ffc1d12e76cbc9?s=48 sagara
1
330
928b1395afedebb5ee48d44ab917c5f1?s=48 ryusa
1
210
0f162107f1b716c9fa62d6071eb8b995?s=48 mugi_uno
3
1k
4f43f9f4dc4cc2897841877e8f7b032f?s=48 cielan
1
290
808ce3d41280c085f8bdc27dce7ea8fb?s=48 kongmingstrap
0
2.9k
2c4b23630d3e6ee69efb4db16186d266?s=48 vananth22
0
390

Featured

See All Featured
E43f8dfd01057f8304f5f8fb9a294d7d?s=48 jeffersonlam
335
16k
Ef32e0b1ac5082450dc8c1fca3a26b5c?s=48 cherdarchuk
78
270k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
105
11k
1b8ad785acdd1ce1c99914b1c2a4e10e?s=48 sugarenia
235
960k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
324
54k
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
167
19k
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
6
940
C620790ae5bf5b50c245b2e0ef95f338?s=48 deanohume
294
28k
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
25
930
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
208
20k
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
249
21k
25c7c18223fb42a4c6ae1c8db6f50f9b?s=48 mojombo
364
63k

Transcript

  1. None

  2. Agenda › Introduction to LINE Login › Case Study of

    Actual Security Incidents

  3. • Social Login Service • OAuth2 compliant • OpenID Connect

    certified What's LINE Login

  4. • Social Login Service • OAuth2 compliant • OpenID Connect

    certified What's LINE Login • and many useful features • Password-less Login • QR Code Login on PC • Auto Login on Smart phone/PC

  5. • Social Login Service • OAuth2 compliant • OpenID Connect

    certified What's LINE Login • and many useful features • Password-less Login • QR Code Login on PC • Auto Login on Smart phone/PC • Bot link • Profile+ • etc.

  6. What's QR Code Login?

  7. › All LINE app users can login without ID/password What's

    Auto Login

  8. › All LINE app users can login without ID/password What's

    Auto Login › You need not to add additional implementation

  9. › All LINE app users can login without ID/password What's

    Auto Login › Authentication information is passed from LINE client app and server to your web site or native application securely. › PKCE like mechanism is used › You need not to add additional implementation

  10. Agenda › Introduction to LINE Login › Case Study of

    Actual Security Incidents › Target of This Presentation › case 1 › case 2 › case 3 › case 4

  11. Case Study of Actual Security Incidents › Vulnerability caused by

    wrong implementation of user services › Vulnerability in LINE Login / LIFF Platform itself

  12. Case Study of Actual Security Incidents › Vulnerability caused by

    wrong implementation of user services › Even if LINE Login platform has no vulnerability, wrong implementation by user service will lead to vulnerability, such as information leak, identity theft. › Vulnerability of LINE Login Platform itself › LINE Login platform developers fix them with the highest priority. 5BSHFUPGUIJTQSFTFOUBUJPO

  13. Social Login LINE Login yoursite.com 1. login request end user

  14. Social Login LINE Login yoursite.com 1. login request 2. redirected

    to LINE Login server end user

  15. Social Login LINE Login yoursite.com 1. login request 2. redirected

    to LINE Login server 3. ID/password input etc. end user

  16. Social Login LINE Login yoursite.com 1. login request 2. redirected

    to LINE Login server 3. ID/password input etc. 4. allow data access by yousite.com end user

  17. Social Login LINE Login yoursite.com 1. login request 2. redirected

    to LINE Login server 3. ID/password input etc. 5. redirected to yoursite.com with access right to the login user's data 4. allow data access by yousite.com end user

  18. Social Login LINE Login yoursite.com 1. login request 2. redirected

    to LINE Login server 3. ID/password input etc. 5. redirected to yoursite.com with access right to the login user's data 4. allow data access by yousite.com end user 6. access the user's data

  19. Case 1

  20. Case 1 - Access Token in Query Parameter BDDFTT@UPLFO

  21. Case 1 - Access Token in Query Parameter BDDFTT@UPLFO ›

    Query parameter value can be exposed easily. › Evil attacker can get user information with the access token.

  22. Case 1 - Access Token in Query Parameter LINE Login

    server

  23. Case 1 - Access Token in Query Parameter 1. An

    attacker posts a link to evil.com LINE Login server

  24. Case 1 - Access Token in Query Parameter 1. An

    attacker posts a link to evil.com 2. A victim clicks the link LINE Login server

  25. Case 1 - Access Token in Query Parameter 1. An

    attacker posts a link to evil.com 2. A victim clicks the link 3. The access_token is sent to the attacker's web server in Referrer header LINE Login server

  26. Case 1 - Access Token in Query Parameter 1. An

    attacker posts a link to evil.com 2. A victim clicks the link 3. The access_token is sent to the attacker's web server in Referrer header 4. The Attacker can get user information by the access token LINE Login server

  27. Case 1 - Access Token in Query Parameter Solution ›

    Do not expose access token. Instead use, for example, › Server storage › Browser storage with same origin policy, like session storage › Native app storage

  28. Case 2 https://access.line.me/oauth2/v2.1/authorize ?client_id=987654321 &scope=profile &response_type=code &redirect_uri=https%3A%2F%2Fexample.com%2Flogin%2Fcallback &state=GsdtJnrabFMWcHsq2Od8

  29. Case 2 https://access.line.me/oauth2/v2.1/authorize ?client_id=987654321 &scope=profile &response_type=code &redirect_uri=https%3A%2F%2Fexample.com%2Flogin%2Fcallback &state=GsdtJnrabFMWcHsq2Od8 https://access.line.me/oauth2/v2.1/authorize ?client_id=987654321

    &scope=profile &response_type=code &redirect_uri=https%3A%2F%2Fexample.com%2Flogin%2Fcallback &state=GsdtJnrabFMWcHsq2Od8 Another login attempts

  30. Case 2 - Fixed State Value https://access.line.me/oauth2/v2.1/authorize ?client_id=987654321 &scope=profile &response_type=code

    &redirect_uri=https%3A%2F%2Fexample.com%2Flogin%2Fcallback &state=GsdtJnrabFMWcHsq2Od8 https://access.line.me/oauth2/v2.1/authorize ?client_id=987654321 &scope=profile &response_type=code &redirect_uri=https%3A%2F%2Fexample.com%2Flogin%2Fcallback &state=GsdtJnrabFMWcHsq2Od8 Another login attempts

  31. Case 2 - Fixed State Value LINE Login yoursite.com How

    'state' works

  32. Case 2 - Fixed State Value LINE Login yoursite.com 1.

    yoursite.com issues a state for an user and redirects a request to LINE Login How 'state' works

  33. Case 2 - Fixed State Value 2. The user do

    'LINE Login' LINE Login yoursite.com 1. yoursite.com issues a state for an user and redirects a request to LINE Login How 'state' works

  34. Case 2 - Fixed State Value 2. The user do

    'LINE Login' LINE Login yoursite.com 1. yoursite.com issues a state for an user and redirects a request to LINE Login How 'state' works 3. LINE Login redirects the request to yoursite.com w/ the state value

  35. Case 2 - Fixed State Value 2. The user do

    'LINE Login' LINE Login yoursite.com 1. yoursite.com issues a state for an user and redirects a request to LINE Login 4. The user is redirected to yoursite.com How 'state' works 3. LINE Login redirects the request to yoursite.com w/ the state value

  36. Case 2 - Fixed State Value 2. The user do

    'LINE Login' LINE Login yoursite.com 1. yoursite.com issues a state for an user and redirects a request to LINE Login 4. The user is redirected to yoursite.com 5. yoursite.com can reject the request if state value is different from the one issued for the user How 'state' works 3. LINE Login redirects the request to yoursite.com w/ the state value

  37. Case 2 - Fixed State Value LINE Login yoursite.com If

    'state' is fixed value, CSRF attack can be possible.

  38. Case 2 - Fixed State Value 1. An attacker try

    LINE Login for yoursite.com LINE Login yoursite.com If 'state' is fixed value, CSRF attack can be possible.

  39. Case 2 - Fixed State Value 1. An attacker try

    LINE Login for yoursite.com LINE Login 2. The attacker stops to redirect to yoursite.com yoursite.com If 'state' is fixed value, CSRF attack can be possible.

  40. Case 2 - Fixed State Value 1. An attacker try

    LINE Login for yoursite.com LINE Login 2. The attacker stops to redirect to yoursite.com yoursite.com 3. The attacker sends a victim the redirect link in some website or e-mail etc. If 'state' is fixed value, CSRF attack can be possible.

  41. Case 2 - Fixed State Value 1. An attacker try

    LINE Login for yoursite.com LINE Login 2. The attacker stops to redirect to yoursite.com yoursite.com 3. The attacker sends a victim the redirect link in some website or e-mail etc. 4. The victim clicks the link and login to yoursite.com as the attacker If 'state' is fixed value, CSRF attack can be possible.

  42. Case 2 - Fixed State Value 1. An attacker try

    LINE Login for yoursite.com LINE Login 2. The attacker stops to redirect to yoursite.com yoursite.com 5. The victim uploads sensitive data. The date is stored as the attacker's data since the victim is logging in as the attacker. 3. The attacker sends a victim the redirect link in some website or e-mail etc. 4. The victim clicks the link and login to yoursite.com as the attacker If 'state' is fixed value, CSRF attack can be possible.

  43. Case 2 - Fixed State Value Solution Summary What yoursite.com

    should do is 1. Issue a random value as state for each login attempts. 2. Store it securely, for example, as browser cookie. 3. Redirect the login request to LINE Login authorization endpoint with the state parameter. 4. Reject if a state value returned from LINE Login is different from the value issued at step 1.

  44. Case 3 LINE Login yoursite.com 1. do 'LINE Login' &

    get the user ID

  45. Case 3 LINE Login yoursite.com 1. do 'LINE Login' &

    get the user ID 2. call some server API

  46. Case 3 - User ID as Credential 2. call some

    server API LINE Login 1. do 'LINE Login' for a native app or SPA & get the user ID yoursite.com

  47. Case 3 - User ID as Credential LINE Login yoursite.com

  48. Case 3 - User ID as Credential 1. An attacker

    does 'LINE Login' & get the attacker's user ID LINE Login yoursite.com

  49. Case 3 - User ID as Credential 1. An attacker

    does 'LINE Login' & get the attacker's user ID LINE Login yoursite.com 2. call some server API w/ another user ID AAAAAAA

  50. Case 3 - User ID as Credential 1. An attacker

    does 'LINE Login' & get the attacker's user ID 3. The attacker can get/update a victim's data LINE Login yoursite.com 2. call some server API w/ another user ID AAAAAAA

  51. Case 3 - User ID as Credential Actually it's difficult

    for an attacker to find a valid LINE user ID. 1. LINE User ID is random value generated by cryptographically secure way. 2. LINE User ID is PPID. The ID value for service provider A is different from the ID value for service provider B even if the IDs are for same user.

  52. Case 3 - User ID as Credential Actually it's difficult

    for an attacker to find a valid LINE user ID. 1. LINE User ID is random value generated by cryptographically secure way. 2. LINE User ID is PPID. The ID value for service provider A is different from the ID value for service provider B even if the IDs are for same user. But this does not mean no risk.

  53. Case 3 - User ID as Credential Solution * Stop

    using user ID as credential * Use ID Token / Access Token instead

  54. Case 3 - User ID as Credential Solution * Stop

    using user ID as credential * Use ID Token / Access Token instead NOT enough!!!

  55. Case 4 2. call some server API 1. do 'LINE

    Login' & get an access token LINE Login yoursite.com

  56. Case 4 - No Token validation 2. call some server

    API 1. do 'LINE Login' & get an access token Validate the token received! LINE Login yoursite.com

  57. Case 4 - No Token validation seems.safe.but.evil.com LINE Login yoursite.com

  58. Case 4 - No Token validation 1. A victim does

    'LINE Login' & get an access token for an attacker's service seems.safe.but.evil.com LINE Login yoursite.com

  59. Case 4 - No Token validation 1. A victim does

    'LINE Login' & get an access token for an attacker's service seems.safe.but.evil.com 2. The attacker's service get the token LINE Login yoursite.com

  60. Case 4 - No Token validation 1. A victim does

    'LINE Login' & get an access token for an attacker's service seems.safe.but.evil.com 2. The attacker's service get the token 3. The attacker calls yoursite.com with the access token LINE Login yoursite.com

  61. Case 4 - No Token validation 1. A victim does

    'LINE Login' & get an access token for an attacker's service seems.safe.but.evil.com 2. The attacker's service get the token 3. The attacker calls yoursite.com with the access token LINE Login yoursite.com 4. LINE API is called as the victim & the victim's user ID is returned

  62. Case 4 - No Token validation 2. The attacker's service

    get the token 1. A victim does 'LINE Login' & get an access token for an attacker's service 3. The attacker calls yoursite.com with the access token 4. Call Token Validation API before other API call Solution seems.safe.but.evil.com LINE Login yoursite.com

  63. Case 4 - No Token validation Call Verify Access Token

    API and confirm that returned client_id is your service's client ID curl -v -X GET \ 'https://api.line.me/oauth2/v2.1/verify?access_token=eyJhbGciOiJIUzI1NiJ9.UnQ_o-GP0VtnwDjbK0C8E_NvK...' { "scope":"profile", "client_id":"1440057261", "expires_in":2591659 } https://developers.line.biz/en/reference/social-api/#verify-access-token

  64. Case 4 - No Token validation If you use ID

    Token, you can validate it by yourself. https://developers.line.biz/en/docs/line-login/integrate-line-login/#write-original-code

  65. Case 4 - No Token validation If you use ID

    Token, you can validate it by yourself. https://developers.line.biz/en/docs/line-login/integrate-line-login/#write-original-code LINE Login provides a utility API and you can use it to verify ID Token. https://developers.line.biz/en/reference/social-api/#verify-id-token curl -v -X POST 'https://api.line.me/oauth2/v2.1/verify' \ -d 'id_token=eyJraWQiOiIxNmUwNGQ0ZTU2NzgzYTc5MmRjYjQ2ODRkOD...&client_id=1440057261' { "iss": "https://access.line.me", "sub": "U1234567890abcdef1234567890abcdef", "aud": "1234567890", "exp": 1504169092, "iat": 1504263657, "nonce": "0987654asdf", "amr": [ "pwd", "linesso", "lineqr" ], "name": "Taro Line", "picture": "https://sample_line.me/aBcdefg123456", "email": "taro.line@example.com" }

  66. Make useful and secure internet services together with us Thank

    you!