The OAuth Misconfiguration

Registering your client application with the OAuth service

c0d3x27

InfoSec Write-ups

· ~3 min read · January 18, 2022 (Updated: January 22, 2022) · Free: No

101 Intro

What is OAuth?

OAuth 2.0 is an authorization framework for Web Application. It validates the identity of a user to the website which requested it without disclosing passwords to the website.

What is OAuth Misconfiguration?

The most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users' accounts. By stealing a valid code or token, the attacker may be able to access the victim's account.

Real-life scenario:

Days ago, I discovered that the Hotdomain.com's android application was vulnerable to OAuth Misconfiguration. Letting attackers hack about any user's account. This vulnerability could compromise any user account.

Description: Hotdomain.com android application was not validating Facebook `access_token` on the server-side, which allows an attacker to hack any account using his own personal application access token.

Vulnerable request/ HTTP request:

As shown above in the trace dump, this is the log from the request made with Burpsuite to expose the endpoint with the vulnerability.

Steps to reproduce:

By looking at line 17 you can see where you will have to add your malicious access token in order to take over any account you wanted.

Impact

By generating a random access token and putting it in place of the original, I was able to gain control of the victim account. The Facebook access token is not getting validated on the server side. Actually, on the login Facebook option, Facebook should provide and validate a unique access token to every user to log in on this app.

Fix recommendation:

https://developers.facebook.com/docs/facebook-login/security **(Bug in OAuth flow)

Looking at the picture above we can see how the report went, and it was not as I was expecting.

Long story short, as shown here, my report came out to be part of a long list of reports. In which both the android application and web app as a whole, were part of a unique report. This because the same code was used to power both applications. This is still a win for me, because this is something you can always use in your next target.

Summary:

Why OAuth is bad for authentication? Let's start with the biggest reason why OAuth isn't authentication: access tokens are not intended for the client application. When an authorization server issues an access token, the intended audience is the protected resource. … It's down to the protected resource to understand and validate the token.

#programming #data-science #technology #software-engineering #cybersecurity