Account hijacking using "dirty dancing" in sign-in OAuth-flows

Transcript

1. Frans Rosén Sikkerhetsfestivalen Lillehammer 2022 Account hijacking using “dirty dancing"

   in sign-in OAuth-flows

2. PUBLIC Rundown 2 • Intro • Elevator pitch • History

   • Theory • Results and findings • Demo • Conclusions

3. PUBLIC Introduction 3 • Security advisor @ Detectify • Bug

   hunter since 2012 • I killed TLS-SNI-01 • My blog post got Trump hacked

4. Disclaimer: OAuth flavours

5. PUBLIC OAuth flavours 5

6. PUBLIC Elevator pitch: OAuth for web apps

7. PUBLIC OAuth for web apps 7

8. PUBLIC OAuth for web apps 8 reddit.com

9. PUBLIC OAuth for web apps 9 reddit.com Sign in with

   Google

10. PUBLIC OAuth for web apps 10 reddit.com Sign in with

    Google reddit.com/oauth?code=SECRET&…

11. PUBLIC OAuth for web apps 11 reddit.com Sign in with

    Google reddit.com/oauth?code=SECRET&… Signed in!

12. PUBLIC Common response types/modes

13. PUBLIC Common response types 13 • code + state 


    https://example.com/?code=xxx&state=yyy 
 Website need to ask provider to validate. Code can only be used once 


14. PUBLIC Common response types 14 • code + state 


    https://example.com/?code=xxx&state=yyy 
 Website need to ask provider to validate. Code can only be used once 
 • id_token 
 https://example.com/#id_token=eyJ… 
 Signed info about user using public cert of provider

15. PUBLIC Common response types 15 • code + state 


    https://example.com/?code=xxx&state=yyy 
 Website need to ask provider to validate. Code can only be used once 
 • id_token 
 https://example.com/#id_token=eyJ… 
 Signed info about user using public cert of provider 
 • token 
 https://example.com/#access_token=xxx 
 Token can be used with provider’s API

16. PUBLIC Common response modes 16 • Query 
 https://example.com?code=x&state=y 


    Query parameters sent to the website. Only allowed for response type code 


17. PUBLIC Common response modes 17 • Query 
 https://example.com?code=x&state=y 


    Query parameters sent to the website. Only allowed for response type code 
 • Fragment 
 https://example.com#access_token=xxx 
 Does not end up in server logs, only reached by Javascript 


18. PUBLIC Common response modes 18 • Query 
 https://example.com?code=x&state=y 


    Query parameters sent to the website. Only allowed for response type code 
 • Fragment 
 https://example.com#access_token=xxx 
 Does not end up in server logs, only reached by Javascript 
 • Web message 
 postMessage({accessToken: 'xxx'}, 'https://example.com') 
 Sent as a postMessage to the website 


19. PUBLIC Common response modes 19 • Query 
 https://example.com?code=x&state=y 


    Query parameters sent to the website. Only allowed for response type code 
 • Fragment 
 https://example.com#access_token=xxx 
 Does not end up in server logs, only reached by Javascript 
 • Web message 
 postMessage({accessToken: 'xxx'}, 'https://example.com') 
 Sent as a postMessage to the website 
 • Form post 
 <form method=POST action=https://example.com>... 
 A form that posts data back to the website

20. PUBLIC Why is account hijacking with OAuth a thing?

21. PUBLIC Short answer: The URL becomes sensitive Why is account

    hijacking with OAuth a thing? example.com/oauth/#access_token=SECRETTOKEN example.com/oauth/?code=SECRETCODE

22. PUBLIC OAuth hijacking pioneers 22 Nir Goldschlager in 2013 https://wagcenter.com/social-networks-wags/nir-goldshlager-facebooks-deadliest-hacker-saver/

    https://news.softpedia.com/news/Expert-Shows-How-Hackers-Can-Use-CSRF-Browser-Vulnerability-262109.shtml Egor Homakov in 2012

23. PUBLIC Blog posts in 2012/2013 23 https://web.archive.org/web/20130408011657/http://www.breaksec.com/?p=5753 https://homakov.blogspot.com/2013/02/hacking-facebook-with-oauth2-and-chrome.html

24. PUBLIC Issues back then 24

25. PUBLIC Issues back then 25 • "Referer" leaked URL incl

    query parameters, 
 including loading of images

26. PUBLIC Issues back then 26 • "Referer" leaked URL incl

    query parameters, 
 including loading of images • XSS was even more common

27. PUBLIC Issues back then 27 • "Referer" leaked URL incl

    query parameters, 
 including loading of images • XSS was even more common • Content Security Policy (CSP) did not exist

28. PUBLIC Issues back then 28 • "Referer" leaked URL incl

    query parameters, 
 including loading of images • XSS was even more common • Content Security Policy (CSP) did not exist • Large OAuth providers (like FB) made it easy to do wrong

29. PUBLIC OAuth 2.0 Security Best Current Practice

30. PUBLIC OAuth 2.0 Security Best Current Practice 30 https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-4.2.1

31. PUBLIC My theory

32. PUBLIC postMessage-tracker 32 https://github.com/fransr/postMessage-tracker

33. PUBLIC What if… 33

34. PUBLIC What if… 34 • postMessage-listeners without XSS could still

    leak the URL cross-domain?

35. PUBLIC What if… 35 • postMessage-listeners without XSS could still

    leak the URL cross-domain? • I have ignored these earlier?

36. PUBLIC What if… 36 • postMessage-listeners without XSS could still

    leak the URL cross-domain? • I have ignored these earlier? • More complex flows? Not just "give me URL"

37. PUBLIC What if… 37 • postMessage-listeners without XSS could still

    leak the URL cross-domain? • I have ignored these earlier? • More complex flows? Not just "give me URL" • A way to force OAuth-flow to fail halfway?

38. PUBLIC Not new, but different? 38 https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-4.2.1

39. PUBLIC postMessage-tracker log 39 https://github.com/fransr/postMessage-tracker

40. PUBLIC Start to collect… 40

41. PUBLIC A long time… 😴😰⏳

42. PUBLIC A long time… 😴😰⏳ 42 https://twitter.com/avlidienbrunn

43. PUBLIC Provider sends data, avoid website to use Non-happy paths

    in OAuth dance

44. PUBLIC Break "state" intentionally 44

45. PUBLIC Break "state" intentionally 45 • "state" is a param

    to make sure the user that started the flow is the one finishing it

46. PUBLIC Break "state" intentionally 46 • "state" is a param

    to make sure the user that started the flow is the one finishing it • It’s the website’s responsibility to validate it

47. PUBLIC Break "state" intentionally 47 • "state" is a param

    to make sure the user that started the flow is the one finishing it • It’s the website’s responsibility to validate it • If validation fails, code is never sent back to provider

48. PUBLIC Break "state" intentionally 48 1. Attacker prepares "state"

49. PUBLIC Break "state" intentionally 49 1. Attacker prepares "state" 2.

    Attacker makes malicious page

50. PUBLIC Break "state" intentionally 50 1. Attacker prepares "state" 2.

    Attacker makes malicious page 3. Victim clicks link

51. PUBLIC Break "state" intentionally 51 1. Attacker prepares "state" 2.

    Attacker makes malicious page 3. Victim clicks link 4. "state" invalid 
 for victim

52. PUBLIC Response-type/mode switching 52

53. PUBLIC Response-type/mode switching 53 • Most providers allow changing type/mode

54. PUBLIC Response-type/mode switching 54 • Most providers allow changing type/mode

    • Website gets confused with a different one

55. PUBLIC Response-type/mode switching 55 • Most providers allow changing type/mode

    • Website gets confused with a different one • No real option to disable types/modes

56. PUBLIC Response-type/mode switching 56

57. PUBLIC Response-type/mode switching 57 reddit.com?code=x&state=y

58. PUBLIC Response-type/mode switching 58 response_type=fragment reddit.com?code=x&state=y

59. PUBLIC Response-type/mode switching 59 response_type=fragment reddit.com/#access-token=xxx Website doesn’t understand reddit.com?code=x&state=y

60. PUBLIC Redirect URI modifications 60

61. PUBLIC Redirect URI modifications 61 • Case shifting 
 example.com/oauth

    -> example.com/oAUth#access-token=xxx 
 


62. PUBLIC Redirect URI modifications 62 • Case shifting 
 example.com/oauth

    -> example.com/oAUth#access-token=xxx 
 • Path appending 
 example.com/oauth -> example.com/oauth/x#access-token=xxx 


63. PUBLIC Redirect URI modifications 63 • Case shifting 
 example.com/oauth

    -> example.com/oAUth#access-token=xxx 
 • Path appending 
 example.com/oauth -> example.com/oauth/x#access-token=xxx 
 • Parameter appending 
 example.com/oauth?code=x -> example.com/oauth?code=x&code=xxx 
 


64. PUBLIC Redirect URI case shifting 64

65. PUBLIC Redirect URI case shifting 65 reddit.com/oauth#access-token=xxx

66. PUBLIC Redirect URI case shifting 66 redirect_uri=reddit.com/oAUth reddit.com/oauth#access-token=xxx

67. PUBLIC Redirect URI case shifting 67 redirect_uri=reddit.com/oAUth reddit.com/oAUth#access-token=xxx Website doesn’t

    understand reddit.com/oauth#access-token=xxx

68. PUBLIC Non-happy path! Now what?

69. PUBLIC Non-happy path! Now what? 69 • Error page, 404

    och 500 or similar 


70. PUBLIC Non-happy path! Now what? 70 • Error page, 404

    och 500 or similar 
 • Redirect to start page 


71. PUBLIC Non-happy path! Now what? 71 • Error page, 404

    och 500 or similar 
 • Redirect to start page 
 • Redirect to login page 


72. PUBLIC Non-happy path! Now what? 72 • Error page, 404

    och 500 or similar 
 • Redirect to start page 
 • Redirect to login page 
 • Redirect to login page with parameters removed 


73. PUBLIC Non-happy path! Now what? 73 • Error page, 404

    och 500 or similar 
 • Redirect to start page 
 • Redirect to login page 
 • Redirect to login page with parameters removed 
 • Redirect back to OAuth provider again

74. PUBLIC Non-happy path! Now what? 74 • Error page, 404

    och 500 or similar 
 • Redirect to start page 
 • Redirect to login page 
 • Redirect to login page with parameters removed 
 • Redirect back to OAuth provider again My focus

75. PUBLIC More… 💆😴🥱😰⏳

76. PUBLIC More… 💆😴🥱😰⏳ 76

77. PUBLIC *insert self-doubt*

78. PUBLIC But then: 78

79. PUBLIC But then: 79

80. PUBLIC Gadgets

81. PUBLIC Weak postMessage-listeners leaking URL 81

82. PUBLIC Weak postMessage-listeners leaking URL 82 • The one I

    expected to find

83. PUBLIC Weak postMessage-listeners leaking URL 83 • The one I

    expected to find • Message cross-domain containing URL

84. PUBLIC Weak postMessage-listeners leaking URL 84 1. Victim clicks link

85. PUBLIC Weak postMessage-listeners leaking URL 85 1. Victim clicks link,

    opens popup

86. PUBLIC Weak postMessage-listeners leaking URL 86 1. Victim clicks link,

    opens popup, uses wrong response type

87. PUBLIC Weak postMessage-listeners leaking URL 87 2. Attacker page to

    Reddit: postMessage(..) 1. Victim clicks link, opens popup, uses wrong response type

88. PUBLIC Weak postMessage-listeners leaking URL 88 2. Attacker page to

    Reddit: postMessage(..) 3. Reddit responds: postMessage(reddit.com/ #access-token=xxx) 1. Victim clicks link, opens popup, uses wrong response type

89. PUBLIC Weak postMessage-listeners leaking URL 89 2. Attacker page to

    Reddit: postMessage(..) 3. Reddit responds: postMessage(reddit.com/ #access-token=xxx) 1. Victim clicks link, opens popup, uses wrong response type 4. Attacker got the token!

90. PUBLIC XSS on sandbox/third-party domain getting URL 90 • URL

    gets transferred to sandbox/third-party

91. PUBLIC XSS on sandbox/third-party domain getting URL 91 • URL

    gets transferred to sandbox/third-party • Sandbox has XSS

92. PUBLIC XSS on sandbox/third-party domain getting URL 92 • URL

    gets transferred to sandbox/third-party • Sandbox has XSS • Two windows with same origin can reach each other

93. PUBLIC XSS on sandbox/third-party domain getting URL 93 • URL

    gets transferred to sandbox/third-party • Sandbox has XSS • Two windows with same origin can reach each other • 2 days after my report, Youssef Sammouda made a similar finding on FB

94. PUBLIC XSS on sandbox/third-party domain getting URL 94 1. Victim

    clicks link

95. PUBLIC XSS on sandbox/third-party domain getting URL 95 1. Victim

    clicks link, XSS in sandbox iframe XSS

96. PUBLIC XSS on sandbox/third-party domain getting URL 96 1. Victim

    clicks link, XSS in sandbox iframe 2. Opens popup XSS

97. PUBLIC XSS on sandbox/third-party domain getting URL 97 1. Victim

    clicks link, XSS in sandbox iframe 2. Opens popup, uses wrong response type XSS

98. PUBLIC XSS on sandbox/third-party domain getting URL 98 1. Victim

    clicks link, XSS in sandbox iframe 2. Opens popup, uses wrong response type XSS 3. Loads sandbox iframe, URL 
 of main window is transferred

99. PUBLIC XSS on sandbox/third-party domain getting URL 99 1. Victim

    clicks link, XSS in sandbox iframe 2. Opens popup, uses wrong response type XSS 3. Loads sandbox iframe, URL 
 of main window is transferred 4. Sandbox XSS to sandbox on Reddit: frames[0].eval(..)

100. PUBLIC XSS on sandbox/third-party domain getting URL 100 1. Victim

     clicks link, XSS in sandbox iframe 5. Attacker got the token! 2. Opens popup, uses wrong response type XSS 3. Loads sandbox iframe, URL 
 of main window is transferred 4. Sandbox XSS to sandbox on Reddit: frames[0].eval(..)

101. PUBLIC 101

102. PUBLIC Using APIs to fetch URL out-of-bounds 102 • URL

     is sent somewhere else but we will try to get it

103. PUBLIC Using APIs to fetch URL out-of-bounds 103 • URL

     is sent somewhere else but we will try to get it • Such a fun bug, so many possibilities

104. PUBLIC Using APIs to fetch URL out-of-bounds 104 • URL

     is sent somewhere else but we will try to get it • Such a fun bug, so many possibilities • There will be more alterations of this

105. PUBLIC Using APIs to fetch URL out-of-bounds 105 • URL

     is sent somewhere else but we will try to get it • Such a fun bug, so many possibilities • There will be more alterations of this • Complex flow to explain, hang in there!

106. PUBLIC Using APIs to fetch URL out-of-bounds 106 1. Victim

     clicks link

107. PUBLIC Using APIs to fetch URL out-of-bounds 107 1. Victim

     clicks link, loads chat widget 2. Loads chat widget, 
 gets user’s API-token

108. PUBLIC Using APIs to fetch URL out-of-bounds 108 1. Victim

     clicks link, loads chat widget 3. Opens popup 2. Loads chat widget, 
 gets user’s API-token

109. PUBLIC Using APIs to fetch URL out-of-bounds 109 1. Victim

     clicks link, loads chat widget 3. Opens popup, uses wrong response type 2. Loads chat widget, 
 gets user’s API-token

110. PUBLIC Using APIs to fetch URL out-of-bounds 110 1. Victim

     clicks link, loads chat widget 3. Opens popup, uses wrong response type 4. Loads sandbox iframe, 
 current URL is transferred 
 to Chat API 2. Loads chat widget, 
 gets user’s API-token

111. PUBLIC Using APIs to fetch URL out-of-bounds 111 1. Victim

     clicks link, loads chat widget 3. Opens popup, uses wrong response type 4. Loads sandbox iframe, 
 current URL is transferred 
 to Chat API 2. Loads chat widget, 
 gets user’s API-token 4. Attacker polls API using token for 
 current URL

112. PUBLIC Using APIs to fetch URL out-of-bounds 112 1. Victim

     clicks link, loads chat widget 5. Attacker got the token! 3. Opens popup, uses wrong response type 4. Loads sandbox iframe, 
 current URL is transferred 
 to Chat API 2. Loads chat widget, 
 gets user’s API-token 4. Attacker polls API using token for 
 current URL

113. PUBLIC Demo time!

114. PUBLIC Demo time! 114

115. PUBLIC Demo time! 115

116. PUBLIC Conclusions

117. PUBLIC Conclusions 117 • Do NOT include third party scripts

     on error pages involved in the OAuth-dance 


118. PUBLIC Conclusions 118 • Do NOT include third party scripts

     on error pages involved in the OAuth-dance 
 • Test the non-happy paths in OAuth yourself. 
 Is GTM loaded in this flow? 


119. PUBLIC Conclusions 119 • Do NOT include third party scripts

     on error pages involved in the OAuth-dance 
 • Test the non-happy paths in OAuth yourself. 
 Is GTM loaded in this flow? 
 • OAuth-providers should allow turning off response- modes/types not being used

120. twitter @fransrosen www.detectify.com Thank you!