Effortless Signing Into One Billion Mobile App Accounts With OAuth 2.0 : BLACKHAT EUROPE 2015
Security researchers from the Chinese University of Hong Kong Ronghai Yang, Wing Cheong Lau, and Tianyu Liu, exposed that a Wrong oAuth 2.0 implementation allows a remote simple hack , that makes more than 1 Billion Android App Accounts vulnerable.
Those vulnerable apps have been downloaded as many as 1 billion times, possibly more, the researchers claimed.
The Flaw would allow a remote attacker to silently access any user account , as long as they knew the username of the victim.
Those usernames could be guessed or found via open source intelligence — i.e. searching Google and Facebook.
The problem lies in developer’s use of OAuth, a protocol that allows users to sign in wih credentials from another major site, like Facebook or Google.
Developers have failed to properly check the information sent back from ID providers.
That allows hackers to sign in to an app with their own account, but switch in the username of the victim to gain access to the latter’s account.
The OAuth 2.0 authentication protocol is widely used on social networking sites, every day billion of users access their profiles on Facebook and Google+ using it.
Using the OAuth 2.0, users can sign in for third-party services by verifying existing identity through their accounts on popular web services such as Google, Facebook, or Sina.
Once authenticated, the users haven’t to provide their credentials to access other services implementing the OAuth 2.0 protocol.
This process enables users to sign-in to any service without providing additional usernames or passwords. This magic is possible because when a user logs into a third party app via OAuth, the app checks with the ID provider (i.e. Facebook, Google).
The ID providers, in turn, provide the Access Token to the server of that mobile app that uses it to request the user’s authentication information from the ID provider (i.e. Facebook). In this way, it is able to check user’s identity with data provided by the ID provider and authorize the login.
The experts explained that the server app instead of verifying the OAuth information included in the Access Token to authenticate the user, the app server would only check if the information is passed by a legitimate ID provider.
This implementation opens the doors to the attackers that can install the flawed app on their mobile devices, log in to their own account and then simply by changing their username to the victim’s one by setting up a server to modify the data sent from Facebook, Google or other ID providers.
A Partial List of Vulnerable Mobile Apps:
Image Source : securityaffairs