Upgrade to Pro — share decks privately, control downloads, hide ads and more …

APIsecure 2023 - Single click OAuth attack that...

APIsecure 2023 - Single click OAuth attack that may lead to account hijacking, Swapnil Deshmukh (Certus Cybersecurity Solutions)

APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023

Single click OAuth attack that may lead to account hijacking
Swapnil Deshmukh, CTO at Certus Cybersecurity Solutions LLC

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

March 21, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. 2022 Certus Confidential 2023 Certus Cybersecurity Public 2023 Prerequisites 1.

    Sign into Google OAuth workflow and get client_id 2. Sign into FB federated authentication workflow and capture the code
  2. 2022 Certus Confidential 2023 Certus Cybersecurity Public 2023 Sample phishing

    email will look like Hi <insert your name here>, Alex mentioned you in the following post: https://www.facebook.com/v3.0/dialog/oauth?&redirect_uri= https://[redacted]/oauth2/authorize?aid=123;client_id= d1cDdL/40ACItEtxJLTo:redirect uri=https%3A%2F%2F[redacted]%2Fsettings%2Foauth_callback response_type=code:state= <insert state here>&scope=email&response_type= token.code&client_id=210068525731476 The post already got 17 likes, and is waiting for your comment.
  3. 2022 Certus Confidential 2023 Certus Cybersecurity Public 2023 https://accounts.google.com/o/oauth2/auth/identifier? client_id=[redacted].apps.googleusercontent.com&state=dEIEuiMFNKHxrpVcTG5CzSgVw5spfYzgvWtYYSkJPv

    Vhm__KA9wetQKyFm3DNzqwL43DxADaibr6GOXmniZ1RcBTT5Ummo- QDBq6tkaqbv6qGusqD7CsYadYOg1MFUWFAlDwmpntcuWpr6lTYXOy9VsxTs4YLcqUvDdoVrcopZGzF7XQsq- Hsu2E0NXLsr1IB4MHd78RRnrF8VMtQYVzvHHuoxTaZH_YuOGd7A1vOASEXbMgZP7tdmC1TNULI_OT6dFSG A4EUMRdMrQzdE&response_type=code&redirect_uri=https%3A%2F%2Fwww.facebook.com%2Foauth2%2Fre rect%2F&scope=openid email&login_hint=[redacted]gmail.com&service=lso&o2v=1&flowName=GeneralOAuthFlow In order to craft phishing email capture the state of the victim from Google auth workflow
  4. 2022 Certus Confidential 2023 Certus Cybersecurity Public 2023 View HTML

    source of the - https://www.facebook.com/oauth2/redirect/? state=dEIEuiMFNKHxrpVcTG5CzSgVw5spfYzgvWtYYSkJPvsVhm__KA9wetQKyFm3DNzqwL43DxADaibr6GOXmniZ1RcBTT5Um o-QDBq6tkaqbv6qGusqD7CsYadYOg1MFUWFAlDwmpntcuWpr6lTYXOy9VsxTs4YLcqUvDdoVrcopZGzF7XQsq- Hsu2E0NXLsr1IB4MHd78RRnrF8VMtQYVzvHHuoxTaZH_YuOGd7A1vOASEXbMgZP7tdmC1TNULI_OT6dFSGtA4EUMRdMrQzd &code=[Redacted owned by the adversary] And look for https://www.facebook. com/recover/code/[redacted] Insert the code