OAuth User Profile Attack - Black Hat

OAuth User Profile AttackHow to Sign into One Billion Mobile AppAccounts EffortlesslyRonghai Yang, Prof. Wing Cheong Lau and Tianyu LiuThe Chinese University of Hong KongNov 4, 2016

Outline Background of OAuth2.0 Unwell-defined protocol for mobile platforms User Profile Vulnerability Exploit Challenges & Tricks Case studyCorresponding Remedies2

What is OAuth2.0?3

Three Parties in OAuth2.0UserIdentity Provider (IdP)Relying Party (RP)Goal: The user can log into the RP via the IdP4

Basic Interactionsamong User, RP and IdPRP serverWho are you?UserIdP serverTell IMDB my identityThis is your identity proofThis is my identity proofWelcome, Ronghai! Such an identity proof is “access token (AT)” in OAuth2.0.OAuth2.0 supports two types of mode: authorizationcode flow & implicit flow5

OAuth2.0 Protocol Flow for Mobile:Implicit FlowRP serverUser deviceRPAppauth req6IdPAppIdP server

OAuth2.0 Protocol Flow for Mobile:Implicit FlowRP serverUser deviceRPAppauth req7IdPAppIdP serverauthentication&authorization

OAuth2.0 Protocol Flow for Mobile:Implicit FlowRP serverUser deviceRPAppauth req8IdPAppIdP serverauthentication&authorization

OAuth2.0 Protocol Flow for Mobile:Implicit FlowRP serverUser deviceRPAppAT user infoauth reqAT user infoIdPAppIdP serverauthentication&authorizationAT user info{"token type":"Bearer","expires in":7104,“id”: “100008512695261”"access token":"CAABzj3PSN8C6OELrcr44hSlITO6 ”}9

OAuth2.0 Protocol Flow for Mobile:Implicit FlowRP serverIdP serverUser deviceRPAppAT user infoauth reqAT user infoIdPAppauthentication&authorizationAT user infoAPI request for user info: access tokenhttps://graph.facebook.com/me?access token CAABzj3PSNiUBAF9MQrrNHwoZ.10

OAuth2.0 Protocol Flow for Mobile:Implicit FlowRP serverAT {User deviceIdP server"id": "100008512695261",RPIdPauthentication&"birthday": "02/01/1991",authreqAppApp"email": ”ronghai@gmail.com",authorization"first name": ”Ronghai", AT "gender": "male",AT user infouserinfo ”Yang", user info"last name":"link": "https://www.facebook.com/profile.php?id 100.1",“name”: ”Ronghai Yang",} API request for user info: access tokenUser profile information11

Unwell-defined Portionsof Protocol Call-flow Neither RFC nor IdPsprovides the complete callflow How to communicatebetween RP app andIdP app: the browsersplits into two apps How to process identityproof: server-to-serververification12

Common Mistake 1Android Account Manager Centralized database to store user accounts INSERT INTO “accounts” ’password’,NULL) Integrated into OAuth2.0 when using Google asthe IdP13

Common Mistake 1Android Account ManagerRP serverRP AppIdP AppAuth requestIdP serverAccount Infouser email Token requestTwo steps to obtain the access token Auth request: getAccounts() Token request: GoogleAuthUtil.getToken()Step 2 is often missing by RP developers14Authentication &Authorization

Common Mistake 2RP App Fails to Return ATRP serverRP AppIdP serverIdP AppAT user infoAT user infouser info The RP app does not return AT to the RP serverThe RP server only depends on user info toidentify the user15

Common Mistake 3Fail to Verify Signature of Signedid token (OpenID Connect)RP serverAT id tokenRP AppAT id p”:imdb, }Not verify signature IdP AppIdP serverAT {id token}id token includes user profile information signed by IdP serverThe signature can be incorrectly verified, e.g., notverify the signature at all16

The Platform to Exploitthe VulnerabilityRP serverattacker deviceRP app3. AT user info AT o4.inferus5. AT user infoIdP serverIdP app TofAn2. er ius1. AT user infoMITM ProxyDomain under theattacker’s control17

Tamper the message betweenRP app and RP server Challenges1. proprietary messageexchanges2. digital signature/ encryption,in addition to HTTPS3. no scalable Tamper messages between IdP appand IdP server1.messages tampered on the IdPside will be propagated to the RPside18

Trick 1: Naive way to tampermessages between the IdP app andIdP server The IdP app does notadopt any practice toavoid MITM proxy19

Trick 2: Use WebView tobypass certificate pinning Certificate pinning The IdP app onlyaccepts thecertificate from thetrue IdP serverUninstall IdP app todowngrade WebViewscheme20

Trick 3: Modify IdP app toremove certificate pinning Some IdPs do NOT supportWebView Existing tools do not work SSLUnpinningReverse engineering Remove certificatepinning function Repackage21

Trick 4: Modify RP app to removethe certificate comparison by SDK RP app checks whether IdPapp is legitimate The SDK hard-code thecertificate of true IdP app. IdP app is re-signedModify RP app scalable: modify thesame function22

DemonstrationAttacking Answers AppStep 1: The attacker,Eve, uses her ownGoogle account tolog into Answers23

DemonstrationAttacking Answers AppAccess Token Step 2 a: Theattacker setupsMITMProxyThe access token is bound to the attacker’s Googleaccount24

DemonstrationAttacking Answers AppAnswers app uses access token to retrieve user dataStep 2 b: Theattacker interceptsthe user-profilerequest via proxyThe unique user id of Eve in Google 25

DemonstrationAttacking Answers AppStep 3 a: Theattacker searches thepublic user profile ofthe victim, Alice.Step 3 b: Theattacker obtainsAlice’s user id viaURL.26

DemonstrationAttacking Answers AppStep 4: The attackersubstitutes her ownuser id with thevictim’s oneThe victim’s uid27

DemonstrationAttacking Answers AppThe attackerlogins as thevictim, Alice Only require the public victim profileThe attack can be remotely/ silently launched28

Empirical Evaluation IdPs# of Top Apps tested(overall per category)Facebook400 (300 100)599 (15%)Google400 (300 100)408 (20%)Sina200 (100 100)8358 (70%)Summary100018275 (41%)# of Apps Support # of VulnerableOAuth2.0AppsFacebook/ Google from Google Play Top-300 Apps in overall category Top-100 Apps in different categoriesSina from one major Chinese app store Top-100 Apps in overall and different categories29

A Partial List of VulnerableAndroid Mobile Apps30

A Partial List of VulnerableAndroid Mobile Apps The total number of downloads for this incomplete listof Android apps exceeds 2.4 billion. Based on the SSO-user-adoption-rate of 51%, oneconservative estimate is that more than one billion ofdifferent types of app accounts are susceptible. Such an attack is also feasible to iOS iOS RP apps adopt the same protocol call-flow31

Responsible Disclosure We reported this issue to all three IdPs on April 2016 Receive their acknowledgements in different ways Maximum bounty reward from SinaSina sent a notification letter to all its third-partyapp developersBased on our incomplete sampling very recently,most of RPs are still vulnerable32

Suggested Remedies1. For IdPs: Provide more clear, and more security-focused guidelines Issue private per-app user-id Facebook has adopted this practice since May 2014, but due tothe backward compatibility reason, old users are still vulnerable.More security testing/ auditing on the RP app We have developed an OAuthTester tool for large-scale testing2. For RPs: Never trust client-side information3. Follow the best practices in draft-ietf-oauth-native-apps-0533

Thanks and Q&AWing Cheong Lauwww.ie.cuhk.edu.hk/ wclau/Ronghai Yanghttp://personal.ie.cuhk.edu.hk/ yr013/34

Empirical Evaluation 29 IdPs # of Top Apps tested (overall per category) # of Apps Support OAuth2.0 # of Vulnerable Apps Facebook 400 (300 100) 59 9 (15%) Google 400 (300 100) 40 8 (20%) Sina 200 (100 100) 83 58 (70%) Summary 1000 182 75 (41%) Facebook/ Google from Google Play Top-300 Apps in overall category Top-100 Apps in dif