Chronicles of the Deeply Flawed - OAuth 2.0 →
A team from highly respected The Chinese University of Hong Kong, comprised of Ronghai Yang [PhD Candidate, Department of Information Engineering, The Chinese University of Hong Kong], Wing Cheong Lau [Associate Professor, Department of Information Engineering, The Chinese University of Hong Kong], and Tianyu Liu have discovered a highly exploitable flaw in OAuth 2.0. Read the document here: Blackhat EU 2016's 'Signing into One Billion Mobile App Accounts Effortlessly with OAuth2.0'. HatTip!
"OAuth2.0 protocol has been widely adopted by mainstream Identity Providers (IdPs) to support Single-Sign-On service. Since this protocol was originally de- signed to serve the authorization need for 3rd party websites, different pitfalls have been uncovered when adapting OAuth to support mobile app authentication. To the best of our knowledge, all the attacks discovered so far, including BlackHat USA’16 [3], CCS’14 [2] and ACSAC’15 [5], require to interact with the victim, for example via malicious apps or network eavesdropping, etc. On the contrary, we have discovered a new type of widespread but incorrect usages of OAuth by 3rd party mobile app developers, which can be exploited remotely and solely by the attacker to sign into a victim’s mobile app account without any involvement/ awareness of the victim. To demonstrate the prevalence and severe impact of this vulnerability, we have developed an exploit to examine the implementations of 600 top-ranked US and Chinese Android Apps which use the OAuth2.0-based authen- tication service provided by three top-tier IdPs, namely Facebook, Google or Sina. Our empirical results are alarming: on average, 41.21% of these apps are vulner- able to this new attack. We have reported our findings to the affected IdPs, and received their acknowledgements/ rewards in various ways." - via Blackhat EU 2016's publication 'Signing into One Billion Mobile App Accounts Effortlessly with OAuth2.0'