OAuth 2.0 Misconfiguration Leads to Account Takeover

OAuth 2.0 is the industry-standard authorization protocol. It prioritizes client developer convenience while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. OAuth, which stands for Open Authorization Framework, is the industry-standard authorization delegation protocol. OAuth 2.0 is widely used by applications (such as SaaS platforms) to access data that is already available on the Internet. This includes, for example, your Google contacts list, your Facebook friend list, and so on. If you’ve ever been asked to grant access to your personal data by a web or mobile application, you’ve most likely used OAuth 2.0. Any OAuth 2.0 misconfiguration leads to an account takeover.

What is the OAuth 2.0 Misconfiguration Vulnerability?

OAuth authentication vulnerabilities arise partly because the OAuth specification is relatively vague and flexible by design. In essence, OAuth provides developers an authorization mechanism to allow an application to access data or perform certain actions against your account from another application (the authorization server).

Generally, the account takeover via OAuth functionality occurs due to weak implementation of redirect_uri. The redirect_uri is important because sensitive data, such as the code, is appended to this URL after authorization. If the redirect_url can be redirected to an attacker-controlled server, this means the attacker can potentially take over a victim’s account by using the code themselves and gaining access to the victim’s data.

The way this is going to be exploited is going to vary by the authorization server. Some will only accept the exact same redirect_uri path as specified in the client application, but some will accept anything in the same domain or subdirectory of the redirect_url. Depending on the server’s logic, there are several techniques to bypass a redirect_url.

Who does OAuth 2.0 Misconfiguration affect?

Whenever an OAuth authentication is being used, the first thought crossing the mind of an attacker is to check if the application validates the value of redirect_url. This may lead to OAuth token stealing if the token is returned along with the callback request.

• An attacker can take over the victim’s account and compromise the system.
• If the victim has admin-level privileges, it leads to sensitive information disclosure in the organization.

How is OAuth 2.0 Misconfiguration being exploited?

There are two different ways to perform this attack

1. If the application does not require email verification on account creation, try creating an account with a victim’s email address and the attacker’s password before the victim has registered. If the victim then tries to register or sign in with a third party, such as Google, the application may do a lookup, see that email is already registered, then link their Google account to the attacker-created account. This is a “pre-account takeover” where an attacker will have access to the victim’s account if they created it prior to the victim registering.
2. If an OAuth app does not require email verification, try signing up with that OAuth app with a victim’s email address. The same issue as above could exist, but you’d be attacking it from another direction and getting access to the victim’s account for an account takeover.

Recommendations to fix OAuth Misconfiguration

Implement the following to mitigate or fix the vulnerability:

1. Avoid using redirects and forwards based on user-provided input.
2. If used, do not allow the URL as user input for the destination by implementing a method to validate the URL.
3. If user input is unavoidable, ensure that the supplied value is valid, appropriate for the application, and authorized for the user.
4. All redirects must go through a page that informs the user that they are leaving your site and requires them to click a link to confirm.

Conclusion

The blog addresses the essential issue with OAuth 2.0 misconfiguration: the general need for built-in security features. The security is almost entirely dependent on developers using the proper configuration settings and trying to implement additional safeguards, such as a robust authentication mechanism. It is important to note that vulnerabilities can arise on both the client application and the OAuth service. This article has helped you understand OAuth Vulnerabilities. There are plenty of other attacks and things that can go wrong in an OAuth implementation, but these are some of the more common ones you will see.

Securelayer7 is a leading penetration testing partner that offers state-of-the-art web apps, mobile apps, and cloud penetration testing to safeguard themselves effectively and their data from existing and emerging cyber tests. Contact us to find out how Securelayer7 can help with testing Oauth 2.0 misconfigurations.