Connect with us
X
Categories:

Technology

‘Dirty dancing’ in OAuth: Researcher discloses how cyber-attacks can lead to account hijacking

Published

on

‘Dirty dancing’ in OAuth: Researcher discloses how cyber-attacks can lead to account hijacking
Share this post:

DOWNLOAD MP3 SONG

Single-click account takeovers are made possible by taking advantage of quirks in OAuth

‘Dirty dancing’ in OAuth: Researcher discloses how cyber-attacks can lead to account hijacking

It is possible to perform single-click account hijacking by abusing the OAuth process flow, a security researcher has found.

OAuth, also known as Open Authentication, is a framework for managing identities and securing online areas across third-party services. Rather than leverage an account username and password combination, for example, service providers can utilize OAuth to provide temporary and secure access tokens.

However, in some scenarios, attackers can abuse OAuth implementations to steal these tokens and perform one-click account hijacking.

Dirty dancing

On July 6, Frans Rosén, Security Advisor at Detectify, walked us through several potential attack vectors and how organizations can mitigate the risk of compromise.

Rosén describes these scenarios as “dirty dancing”. Attackers can abuse OAuth ‘dances’ – their authentication processes and how they manage communication between a browser and service provider – by combining response-type switching, invalid states, and redirect URI programming “quirks” to steal user information such as authorization codes or tokens.

Browser developers, including Google and Mozilla, have worked hard in recent years to destroy any potential pathways to cross-origin referer leaks and cross-site scripting (XSS) attacks.

However, as highlighted in MITRE’s latest 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list, made public at the end of June, these attacks are still common and a threat to users worldwide.

Abusing the sign-in flow

The solutions implemented by browsers to reduce the risk of these attacks includes Content Security Policy (CSP) and Trusted Types, which allow the software to reject data values that could lead to DOM XSS and credential hijacking.

However, the researcher says that OAuth’s sign-in flow, used by companies including Slack, Facebook, and Twitter, can potentially be ‘broken’ for the same impact.

It should be kept in mind these types of attacks aren’t easy to perform and, as Rosén says, involve a ‘grind’ involving an examination of source code and a knowledge of how OAuth’s dances work.

Breaking the chain

To steal tokens, an attacker must first break the chain between the system issuing tokens and a service provider consuming them.

This can be achieved by changing the state-value in use through a specially crafted link, sent to a potential victim as a sign-in page, but which uses the valid state of the attacker.

Once a victim has signed in and is redirected back to a website, the ‘dance’ is interrupted, as there is no valid state for the user. The user will then be shown an error message, and if the attacker is able to leak data and URLs from the error page, the researcher says that the threat actor “can now sign in with their own state and the code leaked from the victim”.

RECOMMENDED  Your daily horoscope for Monday, November 28, 2022

It can also be possible that response-type, response-mode switching, and redirect-uri path abuse could be used to intercept connections and cause unexpected behavior, although changing these pathways is difficult.

“In a proper OAuth-dance using code, in the last step to acquire the access token from the service provider, the redirect_uri must also be provided for validation to the service provider,” Rosén explains.

“If the redirect_uri that was used in the dance is mismatching the value that the website sends to the provider, no access token will be issued.”

One-click hijack

The researcher tested out different attack methods and achieved one-click hijacking. One exploit involving Apple OAuth sign-in was reported on May 12.

There are other quirks that attackers can also exploit to compromise OAuth and grab leaked URLs. These include performing an XSS attack on the third-party domain that receives URL data during authentication and abusing APIs intended for fetching URLs. Domains without sufficient origin checks, for example, may be at risk of exploitation.

“Due to the fact that each OAuth provider allows so many different response types and modes, it becomes quite tricky for a website to cover all different cases,” Rosén says.

To mitigate the risk of attack, the researcher recommends reviewing the OAuth 2.0 Security Best Current Practice guide, making sure that pages rendered for OAuth’s authorization response do not contain third-party resources or links, and users should also consider only allowing limited OAuth response-types and modes.

“You might not use any vulnerable third-party scripts today, but if anyone in your organization introduces anything new through Google Tag Manager or similar, or if the third-party scripts change, you can prevent any future potential token leakage,” Rosén commented.


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
Chief Oyerigha Echo Toikumoh - The Earlier The Better
Music13 hours ago

[Music] Chief Oyerigha Echo Toikumoh – The Earlier The Better

Enzo Maresca and Mikel Arteta stated they will not take Pep Guardiola's place at Manchester City
Sports1 day ago

Enzo Maresca and Mikel Arteta stated they will not take Pep Guardiola’s place at Manchester City

Alan Shearer reckons Liverpool star is ‘not going to get better’
Sports1 day ago

Alan Shearer reckons Liverpool star is ‘not going to get better’

NECO examiners threaten nationwide protest over unpaid entitlements
News1 day ago

NECO examiners threaten nationwide protest over unpaid entitlements

Jonathan congratulates Trump on historic election win
News1 day ago

Jonathan congratulates Trump on historic election win

Peter Obi can become president in 2027 — Yunusa Tanko
News1 day ago

Peter Obi can become president in 2027 — Yunusa Tanko

Dua Lipa forced to cancel show after ‘unforeseen safety issues’
Entertainment1 day ago

Dua Lipa forced to cancel show after ‘unforeseen safety issues’

Uzoamaka Onuoha wins Best Female Performance in a feature at AFRIFF 2024
Entertainment1 day ago

Uzoamaka Onuoha wins Best Female Performance in a feature at AFRIFF 2024

'Phoenix Fury' bags Best Film award at the 13th edition of AFRIFF
Entertainment1 day ago

‘Phoenix Fury’ bags Best Film award at the 13th edition of AFRIFF

Vivo begins teasing new Dimensity 9400 flagships internationally
Technology2 days ago

Vivo begins teasing new Dimensity 9400 flagships internationally

Google Pixel 11 and Pixel 11 Pro may trade performance gains for longer battery life
Technology2 days ago

Google Pixel 11 and Pixel 11 Pro may trade performance gains for longer battery life

Manchester United players warned ‘only one is safe’ under Ruben Amorim
Sports2 days ago

Manchester United players warned ‘only one is safe’ under Ruben Amorim

Austin DeAnda given impromptu makeover after he is forced to have haircut in the middle of fight
Sports2 days ago

Austin DeAnda given impromptu makeover after he is forced to have haircut in the middle of fight

IG orders punishment for errant cops
News3 days ago

IG orders punishment for errant cops

Be ready to recover stolen mandate — Ighodalo tells PDP
News3 days ago

Be ready to recover stolen mandate — Ighodalo tells PDP

No part of Ogun will be ceded under my watch — Dapo Abiodun
News3 days ago

No part of Ogun will be ceded under my watch — Dapo Abiodun

Ruger calls out auto tune and hype culture in music
Entertainment3 days ago

Ruger calls out auto tune and hype culture in music

I hate to play same role repeatedly — Actress Bimbo Akintola
Entertainment3 days ago

I hate to play same role repeatedly — Actress Bimbo Akintola

Fans split on Davido, Wizkid, and Burna Boy's Grammy nominations.
Entertainment3 days ago

Fans split on Davido, Wizkid, and Burna Boy’s Grammy nominations

Samsung Galaxy S25 Slim: Leaker reveals launch details for Samsung's rival iPhone 17 Air
Technology3 days ago

Samsung Galaxy S25 Slim: Leaker reveals launch details for Samsung’s rival iPhone 17 Air

Realme names first smartphone to get Android 15 beta worldwide
Technology3 days ago

Realme names first smartphone to get Android 15 beta worldwide

England interim manager tipped for surprise Premier League job
Sports3 days ago

England interim manager tipped for surprise Premier League job

Hakim Ziyech mocks Israeli supporters attacked in Amsterdam
Sports3 days ago

Hakim Ziyech mocks Israeli supporters attacked in Amsterdam

Court jails seven for internet fraud in Kaduna
News3 days ago

Court jails seven for internet fraud in Kaduna

Edo APC criticizes Obaseki’s last-minute appointments
News3 days ago

Edo APC criticizes Obaseki’s last-minute appointments

Edo PDP announces caretaker committee
News3 days ago

Edo PDP announces caretaker committee

Tems makes history after securing 3 nominations for the 67th Grammys
Entertainment3 days ago

Tems makes history after securing 3 nominations for the 67th Grammys

Beyoncé surpasses Jay-Z to become the most nominated artist in Grammy history
Entertainment3 days ago

Beyoncé surpasses Jay-Z to become the most nominated artist in Grammy history

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations
Entertainment3 days ago

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations
Entertainment3 days ago

2025 GRAMMY: Academy unveils category changes ahead of nomination event

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories3 days ago

[STORY] THE PASTOR’S DAUGHTER (Final Episode 13)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories3 days ago

[STORY] THE PASTOR’S DAUGHTER (Episode 12)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories3 days ago

[STORY] THE PASTOR’S DAUGHTER (Episode 11)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories3 days ago

[STORY] THE PASTOR’S DAUGHTER (Episode 10)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories3 days ago

[STORY] THE PASTOR’S DAUGHTER (Episode 09)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories3 days ago

[STORY] THE PASTOR’S DAUGHTER (Episode 08)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories3 days ago

[STORY] THE PASTOR’S DAUGHTER (Episode 07)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories4 days ago

[STORY] THE PASTOR’S DAUGHTER (Episode 06)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories4 days ago

[STORY] THE PASTOR’S DAUGHTER (Episode 05)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories4 days ago

[STORY] THE PASTOR’S DAUGHTER (Episode 04)

John Legend
Music5 days ago

[INSTRUMENTAL] John Legend – All Of Me

21 Savage
Music6 days ago

[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me

Salvation Ministry Choir Amen
Lyrics5 days ago

Salvation Ministry Choir – Amen [LYRICS]

General6 days ago

[Music] Zayn Malik – Entertainer

Music7 days ago

[Music] Exalted Tribe (HICC) – We Dey Halla

General4 days ago

[Music] Diddy – Dirty Money – “Coming Home” Feat. Skylar Grey

General5 days ago

[Music] John Legend – Love Me Now

Salvation Ministries Mass Choir
Music5 days ago

[Music] Salvation Ministries Choir – Chioma Me Eh(Good God)

General4 days ago

[Music] Celine Dion – If That’s What It Takes

Salvation Ministries Mass Choir
Lyrics5 days ago

Salvation Ministries Choir – Chioma Me Eh(Good God) [LYRICS]

General4 days ago

[Music] P!nk – Try

General5 days ago

[Music] Jaden Smith – Goku

General5 days ago

Magic! — Rude [LYRICS]

General4 days ago

[Music] Journey – Don’t Stop Believin’

General6 days ago

[Music] Cardi B – Bartier Cardi ft. 21 Savage

General6 days ago

[Music] Tyga ft. Offset – Taste

General4 days ago

[Music] P!nk – “Just Give Me A Reason” Feat. Nate Ruess

General6 days ago

[Music] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me

General4 days ago

[Music] African China – Western Union

General6 days ago

[Music] Lil Dicky ft. Chris Brown – Freaky Friday

General5 days ago

[Music] Lil Durk – India Pt. II

General6 days ago

[Music] Sam Smith – Writing’s On The Wall

Entertainment4 days ago

Top 10 Best Songs Of Tatiana Manaois In 2018 And How To Download Them

Music5 days ago

[Music] Edwin Starr – War

Music5 days ago

[Music] Remy Zero – Save Me (Smallville Theme Song)

Music4 days ago

[Music] Tatiana Manaois – “Love Doesn’t Die” (Prod. Audio MG x Layird)

General4 days ago

[Music] Celine Dion – It’s All Coming Back To Me Now

Music5 days ago

[Music] Salvation Ministry Choir – Amen

General4 days ago

Justin Timberlake – Mirrors [LYRICS]

Entertainment4 days ago

[Music] Dwayne Johnson – You’re Welcome (“Moana” Soundtrack)

General5 days ago

[Music] Joan Jett – Bad Reputation

General4 days ago

[Music] Dido – White Flag

General4 days ago

[Music] Mz Kiss – BRAAA

General6 days ago

[Music] Post Malone – Congratulations (Remix) Ft. Quavo & Future

General5 days ago

[Music] Kelly Clarkson – Heartbeat Song

General7 days ago

[Music] H.E.R. – “Focus” (Remix) Ft. Chris Brown

Ed Sheeran
Lyrics4 days ago

Ed Sheeran – Perfect [LYRICS]

General5 days ago

[Music] Lil Wayne – How To Love

Music5 days ago

[Music] M.I Abaga – End Of Time (Tribute To Dagrin)

General4 days ago

[Music] Celine Dion – Coulda Woulda Shoulda

ANE Billboard Hots



Join "ANE sabi" clique

Don't miss a thing, get ogbonge ANE latest updates to fuel your conversation daily.