Security researcher Frans Rosén, from Detectify, published a detailed report on July 6 showing three scenarios in which an attacker can use OAuth to steal tokens and achieve account control with a single click. It also shows how organizations can reduce the risk of compromise. According to Rosén, there are many vulnerable scenarios in which authorization codes (or tokens) can be leaked to an attacker, especially when combining response type switching, “invalid state” and URI redirect quirks with third-party javascripts.
Rosén describes these scenarios as “dirty dance”: attackers can abuse the ‘dances’ of OAuth – its authentication processes and how they manage communication between a browser and a service provider.
Browser developers including Google and Mozilla have worked hard in recent years to block any potential avenues for cross-reference leaks and cross-site scripting (XSS) attacks. However, these attacks are still common and a threat to users around the world, as highlighted by the latest 2022 MITER Common Weakness Enumeration (CWE) 2022 list of the most dangerous software weaknesses released in late June.
Solutions implemented by browsers to reduce the risk of these attacks include Content Security Policy (CSP) and Trusted Types, allowing software to reject data values that could lead to DOM XSS and credential hijacking. However, the researcher says that the OAuth login flow, used by companies like Slack, Facebook and Twitter, can be “broken” by the same impact.
What is OAuth
OAuth, also known as Open Authentication, is a framework for managing identities and securing online areas on third-party services. Instead of leveraging an account username and password combination, for example, service providers can use OAuth to provide temporary, secure access tokens.
Rosén’s report is at “https://labs.detectify.com/2022/07/06/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/”
Source: CisoAdvisor