securing the insecure - Hakim
securing the insecure - Hakim securing the insecure - Hakim
Black Hat US 2011 khash kianikhash@thinksec.comOAuthsecuring the insecure
- Page 2 and 3: oadmap‣ OAuth flow‣ insecure im
- Page 4 and 5: user-centric schemeuser controls au
- Page 6 and 7: authorization flow1. client app aut
- Page 8 and 9: insecure storage of secrets(consume
- Page 10 and 11: 1. public class TwitterClient {
- Page 12 and 13: native clients‣ native mobile app
- Page 14 and 15: how about these use cases:‣ fulfi
- Page 16 and 17: threat(with embedded client credent
- Page 18: the not so secret consumer secrets1
- Page 21 and 22: compromised credentialsimpact:‣ k
- Page 23 and 24: alternative mitigation‣ a deviate
- Page 26 and 27: uilding malicious OAuth clients(nat
- Page 28 and 29: OAuthSampleTouch mobile Google app
- Page 30 and 31: OAuth process withan embedded viewu
- Page 32 and 33: “but it looked so official!”OAu
- Page 34 and 35: fortune telling facebook app(a brow
- Page 36 and 37: https://apps.facebook.com/redevilfo
- Page 38 and 39: query private user messagesread the
- Page 40 and 41: assumptions‣ victim has an active
- Page 42 and 43: Dear Facebook,what is the business
- Page 44 and 45: Avon selects twitterfeed to publish
- Page 46: - Avon is redirected back to comple
- Page 50: what can go wrong?50
Black Hat US 2011 khash kianikhash@thinksec.comOAuth<strong>securing</strong> <strong>the</strong> <strong>insecure</strong>
oadmap‣ OAuth flow‣ <strong>insecure</strong> implementation1. <strong>insecure</strong> storage of secrets2. evil mobile and web OAuth apps3. flawed session management4. password reset‣ summary2
what’s OAuth?3
user-centric schemeuser controls authorizationFMTokenAIGTokenuserTwitterTokenTwitterToken4
actors:resource owner (user)resource consumer (client)resource provider (server)tokens:consumer credentialsrequest tokenaccess token5
authorization flow1. client app au<strong>the</strong>ntication2. get request token: POST oauth/request_token3. au<strong>the</strong>nticate user: GET oauth/authorize4. get access token: POST oauth/access_token6
Insecure Implementation7
<strong>insecure</strong> storage of secrets(consumer credentials)8
OAuth flowstep 1: register client9
1. public class TwitterClient { 2. 3. private static String key = "qSkJuxxxxxxxx76A"; 4. private static String secret = "Bs738xxxxxxxxxxxxxxZe9EhXw"; 10
server-side‣ isolate <strong>the</strong> credentials‣ protect <strong>the</strong> integrity11
native clients‣ native mobile app‣ desktop apps12
“... if twitter uses <strong>the</strong> client secret in installed applications foranything o<strong>the</strong>r than ga<strong>the</strong>ring statistics, well, <strong>the</strong>y shouldreconsider.”“So forget about using <strong>the</strong> consumer credentials for anythingo<strong>the</strong>r than somewhat reliable statistics.”- e. hammer lahav13
how about <strong>the</strong>se use cases:‣ fulfill specific business requirements- server must keep track of all clients‣ prevent phishing attacks14
popular implementations(native apps)1. omit <strong>the</strong> client credentials entirely2. embed in <strong>the</strong> client app itself15
threat(with embedded client credentials)‣ compromised credentials16
open source clients‣ source code‣ resource bundle17
<strong>the</strong> not so secret consumer secrets18
closed source clients‣ binary extraction on android oauth client:‣ astro file mgr to copy <strong>the</strong> client app‣ poke around‣ classes.dex‣ “dexdump classes.dex20
compromised credentialsimpact:‣ key rotation and kill switch‣ not meeting business requirements‣ anonymous publication by competition‣ susceptible to phishing attacks21
suboptimal solutions‣ client secret obfuscation (ProGuard for Android)‣ ProGuard for Android: Don’t put sensitive info in XML resource files!‣ negotiate credentials with your backend server‣ what will stop a rogue client?22
alternative mitigation‣ a deviated approach with automated provisioning23
alternate flow‣ au<strong>the</strong>nticate user to client’s web server‣ call home to get device id‣ store device id locally‣ proceed with oauth flow to get request token‣ validate device id to au<strong>the</strong>nticate client‣ proceed with <strong>the</strong> flow to grant access token24
uilding malicious OAuth clients(native and web apps)26
password <strong>the</strong>ft with Google client(a native iOS mobile app)27
OAuthSampleTouch mobile Google app‣ download‣ compile‣ run‣ edit controller28
modify <strong>the</strong> UIWebViewDelegate’s:webView:shouldStartLoadWithRequest:navigationTypecallback methodto intercept <strong>the</strong>login page priorto sending <strong>the</strong>post request29
OAuth process withan embedded viewuser au<strong>the</strong>nticates andgrants permission30
output <strong>the</strong> Google credentials31
“but it looked so official!”OAuth provides <strong>the</strong> user with a false senseof safety in <strong>the</strong> au<strong>the</strong>ntication workflow32
ecommendations‣ client application developers: keep au<strong>the</strong>nticationoutside <strong>the</strong> app and inside <strong>the</strong> browser‣ users: do not trust clients that do not use a trustedneutral application such as safari to manage server auth‣ protocol designers: stricter policies aroundau<strong>the</strong>nticating clients to server. better browser API support33
fortune telling facebook app(a browser-based web application)a social engineering oauth application to establish user trust34
lure <strong>the</strong> victim to use your appdomain apps.facebook.com is trustworthy!phisheasy!35
https://apps.facebook.com/redevilfortune/accessscope36
70%* source: core impact client-side phishing campaign37
query private user messagesread <strong>the</strong>inboxmessages38
uild <strong>the</strong> trap to aid exploitationlink to executeajax post andcarry our CSRF39
assumptions‣ victim has an active session with his banking site‣ no CSRF protection by banking site!40
“but it looked so official!”OAuth provides <strong>the</strong> user with a false senseof safety in <strong>the</strong> au<strong>the</strong>ntication workflow41
Dear Facebook,what is <strong>the</strong> business need for a webapplication to read my private messages?42
flawed session management43
Avon selects twitterfeed to publish something44
- Avon is redirected to twitter’s authorization endpoint- Avon enters his twitter credentials and grants access45
- Avon is redirected back to complete <strong>the</strong> feed- Avon signs out of twitterfeed and walks away46
isks‣ unattended session‣ no session timeout‣ user remains logged in49
what can go wrong?50
problem, meet solution‣ invalidate server session‣ short-lived access token‣ no auto-processing53
a better approach54
can you really changeyour password?55
change password = old password still works!57
solution‣ ensure compromised credentials cannot be used‣ revoke tokens upon password changes- results from facebook access token leakage to 3 rd party apps59
conclusion- defeating password anti-pattern- implementation, not protocol- private vs. public APIs- open vs. closed source clients- keep callback url intact- trusting native mobile apps- don’t trust <strong>the</strong> logo- don’t trust <strong>the</strong> domain60
take-away:use it when it makes sense!61
please turn in your completed feedbackform at <strong>the</strong> registration deskTHANK YOU!khash@thinksec.com62