Uh-OAuth! - Breaking (and fixing) OAuth Implementations

and we have a fantastic speaker now the next speaker that we have on this stage he discovered his first vulnerability and he got root and a cve at the age of 15. all right so this is a speaker we all can learn a lot from please welcome to the stage

now I'm going to tell you a little bit about avian he has a recognized expert and in addition to his security research he is very passionate about teaching that's why aviad wrote and taught the reverse engineering and vulnerabilities course at the technion computer science faculty now that's quite an honor thank you aviad for gracing us with your presence here in the lowly Tel Aviv University which is not as high and mighty as the technion up North so we really appreciated that you were joining us here with the simpletons here in Tel Aviv in the wild wild west thank you now you got your slides there you got your clicker you're good to go everybody aviat is going to tell us all about oh

us and it's going to be a deep dive so hold on tight you're feeling good in five minutes in the time in case people from the outside want to no you're starting right now right now I can tell the audience some jokes if you like I had the AI minutes really no maybe you should start okay okay I'll be right here telling jokes if in case you need me okay sure okay I can always tell the audience some more things I think they want to hear from you they're hearing from me all day so everybody can hear me at the top right it's okay okay so let's check the pointer fine so today I'm gonna I'm going to give a talk about

Olaf's oos is the social sign in when you log into website using your Facebook account or Google account and in this talk I'm going to show you how to break it I'm going to teach you how to find OS vulnerabilities by yourself so first of all about me so I'm a viad camera a security researcher among other things but today I'm a security researcher any work at sold security it's a API security company we discover detect and prevent API attacks API everywhere websites Services applications so if you want to read more you can visit the website salt.security now why I started to do a research about ovals so as you know social signing is everywhere used by 90 of the people

for example who uses Facebook Google to sign in right I think all hands should be raised up because we all use Facebook Google Twitter Apple to sign in and in this research what we wanted to check is how well sector owes the social sign in mechanism is in 2023 and what we did is account takeover on one billion accounts yes you hear me right one billion accounts and every target has at least 100 million of users and in this talk I'm going to reveal most of the cards some of the target I'm going to reveal here for the first time so it's going to be really interesting now in this talk I'm going to teach you

what is all how it works and how to break it on real targets and how to fix it if you want to develop Powers by yourself so what is OS let's I want to take you back 20 years ago so Suppose there is a site timeplanner.com and you want to give you Gmail calendar we want to give access to Gmail calendar to timeplanner.com now 20 years ago you had to give them your Gmail password yes it's up you had to give them your Gmail password and they could access your Gmail calendar but theoretically they could also access your emails write emails on your behalf so it's really insane and that's what OVO solves with all so you can give time planner access

to your calendar only and without sharing password so even if time planner is a malicious website you have nothing to worry about now while the example with time planner is authorization because we are giving access to calendar OS is even more popular to social sign in which is authentication but both social sign in and authorization is the same thing same mechanism based on ovals the focus of the presentation is the social sign in and in 2014 a new standard open ID connect was released which is a standard only for authentication the social sign in but what you need to know that open ID is also based on ovals so every vulnerability that I'm going to show you

in this presentation is also relevant to open ID so before I deep dive into the vulnerabilities I want to make sure everybody here understand how OS works so let's do a brief overview so Suppose there is done done is a regular person like every one of you and you want to connect to timeplanner.com using his Facebook account so done goes to time planner and says hey I want to login using Facebook and time planner says okay tell Facebook that I needed access to your identity email address as a proof done goes to Facebook and says hey I need a proof to time planner he wants my email address and Facebook generates a secret token for done he remembers that secret one

two three is dot none at gmail.com and then he's happy and tells time planner Facebook told me secret one two three now time planner with secret one two three time with secret token one two three time planner can directly talk with Facebook and ask hey what is the email of secret token one two three and Facebook says it done at gmail.com you can trust him so it's it's really interesting because Dan is lazy he doesn't want to type his password and using only one click one click then could authenticate himself to time planner using Facebook so it's really magic how a horse works now let's do the same slide again but with more technical details now when done clicks on continue

with Facebook what really happens that time plan in a sense this you are well to done and done opens this URL in a new double a new window and this URL has a lot of interesting parameters but the most important one is the redirect URI the redirect URI will tell Facebook where to send the secret token and in the next step I have a problem with the okay and the next step done goes to Facebook you see the confirmation message then next time you see that confirmations message pay attention to the URL this is the same URL as you see right now in step two now Facebook generates the token for done and send it to the redirect URI and

that's how smokes we do URL a lot of redirection but it should be a little bit simple and so that's it so I want to show our unit 1 billion accounts and I'm going to reveal a code one card at a time so we'll start with the first card and surprise it's booking.com so booking.com who is booking.com here so it's really popular website especially in Israel thousands of employees 16 billion dollar in annual revenue really huge website and let's see how all works in Booking so done clicks on continue with Facebook and the flow starts very similar to time planner booking sends this URL to Dan the same URL with the redirect URI now Dan goes to Facebook and Facebook

generates a secret code this time is a secret code not secret token and Dan takes the secret code one two three in the browser was done automatically takes the secret code one two three and send it to the redirect URI which is a URL in account booking.com now pay attention that the response type here is code a no token but in novels to talk with Facebook eventually you need a token so booking needs to do additional step to exchange this code for a token so booking sends the code receives from Facebook a token and with a token booking can talk with Facebook to receive the identity of done now you might ask yourself if booking needs a

code if booking needs a token why asking for a code why booking doesn't ask for a token directly and the answer is security because if an attacker for example steals the code it's really impossible to exploit because the attacker can't exchange the code for a token because only booking can do it for exchanging the code for it okay and there is a client secret that only booking has so it's small secured now let's summarize it in the example with time planner we saw that the response type was was called a response type was token it's really simple and it's also the only option if you don't have a backend right if you don't have a

backend you can exchange the code for a token it's an API from the backend now if you do have a backend probably we want to use code like booking in this flow the token is never exposed to the browser so it's more secure and only booking a the backend can exchange this code for a token and if you want to read more about the difference between token and code you can read the blog post I will share the link later there is a lot of information so I can deep dive into all the details so sometimes I will give you a link to read more now let's attack booking.com and our goal is to get the victim code to our

domain so let's take a look again on this diagram and in all those what we want to do is to try to manipulate the redirect URI now let's see what we can do I as the attacker take this link from step two okay this is the link from step two and I changed only one thing the path in the redirect URI so the path install instead of social result Facebook will be any path and attack at once and let's send this link to done done is our victim I put this link in a email so the link says hey Facebook I am done and I want to connect to booking can you send my secret code to accountbooking.com any

perf an attacker wants and we can configure Facebook to validate only the domain so this is why I can change the path I can change the domain but I can change the path and that's what I do right here so let's see how it works done clicks on this link it goes to Facebook and Facebook automatically redirect down to this redirect URI with the secret code now it happens automatically because Facebook remembers that Dan already approved done already click on continue is done one time so there is some misalignment because I created a slide with Google Drive and this is Powerpoint so but it's really minor things so what I did here I made Facebook to send

the secret code to another path in booking.com now you might ask yourself what's the big deal it's not a critical issue right what I did I just sent the code to another path in booking and you are right what I did is that I tricked Facebook to send the code to any path I want in account booking.com but what I want to do is to send this code to my malicious domain right I want to read that code I want to take over the account of done I want to order vocations so let's continue the research and after an additional research time I found this a simple URL in the website of booking and if you click on this URL booking will

redirect you to account booking com slash settings now when you see a URL with ey this is big 64 base64 encoding and the first thing that you want to do is to decrypt it because you might found some interesting things and in this case the big64 encoding is actually slash settings so you might guess what I want to do here I want to change settings to my malicious domain and what I did here I created the link that if the victim clicks on that links booking will redirect him to my malicious domain and it's also called an open redirection vulnerability because I created one Link in one domain and when someone clicks on this link he will be redirected to

another domain okay so this is an openly Direction and what I want to do is to take this open redirection vulnerability this is the first URL and I take this URL and I insert it into the vulnerability debug one the problem with the redirect URI and the result is a longer link that if a victim clicks on this longer link booking will send the code or the credentials to my malicious domain I mean Facebook will send the credentials to my malicious domain so it's really cool and it's also a lot of information so let's see it step by step so when done clicks on this link he goes to Facebook he clicks on the link and Facebook says the domain is

valid right because it's account booking.com the domain is valid Facebook doesn't validate the path and Facebook redirect done to booking with the code now booking says hey Dan what do you want for me write the links tell me to redirect you to attacker.com and we at attacker.com now can read the secret code now I didn't mention that the response type in the attack is no token not code is a combination of token and code I don't have the time to Deep dive into all the details but you can read the reason in the post I will share the link later so what we have here I made Facebook to send the code to my malicious domain now the next thing that

I want to do is to use this code to connect to booking.com is done right I want to take over the account of done so the title starts a regular login flow with booking but in step 3 what the attacker does is sends the victim code and what the attacker wants to happen is to take over the account of done and what we know is that the LA is the next step booking will exchange this code for the token and problem we got invalid code it didn't work and the question is why why it didn't work is a valid code I just stole it from done why it didn't work now I can guess I only can guess because

I can't see the backend I can't see what's going on between booking and Facebook I can guess that this API failed I guess that Facebook says no in the result for this API now let's check what is this API let's read the documentation of in Facebook now this is from the documentation in Facebook when you exchange a code for an access token there are several parameters and one of the parameters is the redirect URI and Facebook says that it must be the same as the original request urli that you used when starting those login process now a lot of words I want to explain it so from the perspective of Facebook victim code was generated to a strange

you redirect URI right it was a long redirect to arrive with the open redirection but now someone uses this code with a shorter redirect URI so from the perspective of Facebook it is the same flow same code two different redirect URI and Facebook says no something looks strange to me and Facebook saves booking from the account from the account takeover so really congratulations to Facebook for saving booking but we want to try we want we really want to do the account take over so what we want to do what the attacker wants to do is to bypass the validation of Facebook and the problem is that I as the attacker got stuck I didn't find

something useful in the web I didn't find anything interesting in the web now when you don't find what you want on the web what you do you go for a mobile research mobile Research store or download the application of booking now I won't Deep dive into all the details I found this interesting API this is an API that the application of booking the mobile application sends the code to booking and you can see here the code here I use the code of the victim but you can pay attention to the result URI now I can guess that Facebook will use my parameter my input my input result URI in the request to Facebook when it

exchanges the code for a token so this is exactly what I wanted so what I want to try is to change this this result URI why this risk request is from my computer I can change it so I change the result URI okay I change the result URI to the longer link which I used for the initial attack this is the long link with the open redirection and it worked and I connected as done to booking.com I have accountable with only simple Facebook link I can send you a legitimate Facebook link it's only a link to Facebook and if you click on that link I will can I can access to your account in Booking I can read your

Visa cards thank you it's getting worse not in Booking in other targets so agree with me so summary the attacker can take over booking accounts using a legitimate Facebook link really you just click on the link and everything happens automatically and the vulnerability also impacted kayak.com because you can connect to arc.com using your booking account so if I take over your accounts in Booking I can log into kayak so maybe it's really a lot of accounts and this vulnerability might also impact users that sign in user Google or even doesn't use social signing at all and all the information is in the blog you can visit sold company the salt security click on company and then on solid labs and the

response a booking fix it really quickly click weekly and you can read their response later I will share the presentation you can find it in the blog and we had a lot of coverage in the media so it was really big it was three months ago so now I want to continue to the next I'll get I would I already have 400 million of accounts and that's if I don't count kayak.com only booking so the next Target is really special Target because it's not one target it's there is a delay when I click and when I see the okay so this is a framework and we got a CV so one vulnerability and we have access to 100 websites so

we are talking about the Expo framework

so meet Expo what they do it's a framework for developing mobile application and web someone uses expo here someone develop mobile applications here okay see if you're a few hands and they're really popular they're used by 600 thousands of developers so they are really huge and what I want to do is to develop my own application using Expo and to see how all works in Expo and how we can break it so let's see how ovos Works in Expo now done clicks on login with Facebook in a application that was developed with Expo and Expo cool app redirects them to Expo there is a confirmation message when done clicks on yes Expo redirect theme to Facebook and unauthenticating service

with Facebook and after that Facebook redirects them to Expo with the secret token and Expo sends the secret token to cool up so it's a lot of redirection but it's good because when you have a lot of redirection you also have a lot of chances to steal the token so I want to do the same slide again but with more technical details now when done click on login with Facebook or sign in with Google it's the same thing just using Facebook because it's more convenient for me but it's also true for Google so when done clicks on login with Facebook or sign in with Google a cool app redirects done to this URL in OS X Y O when done clicks on yes

he export redirects down to this Facebook link and you're already familiar with this link in Facebook with the redirect URI white so Facebook will send the secret token to the redirect URI here and so Facebook sends the token to Expo and at the last step Expo sends the token to cool up now we want to attack it we want to find a way to steal the secret one two three now do you have an idea take a few seconds to look at this slide first of all you know the first thing that you want to try is to manipulate the redirect URI right it worked for Facebook maybe it will also work here but the problem is that Expo

Expo instructs the developers to configure the redirect URI as a full path so in this case I can't do the same attack like I did in Booking I can change the redirect URI so pay attention to another interesting thing there is a return URL so maybe I could change it so what I want to do as the attacker is to change this parameter the return URL to my malicious domain and what I want to open the theoretic the theoretic attack is that if I change the return URL to attacker.com then maybe just maybe at the last step Expo will send the secret token to me to my malicious domain this is my goal so let's see how it works if it works so we

created I take the same link that you saw in the previous slide I changed the return URL to attacker.com and the attacker sends this link the done now what the attacker expects is the done clicks on this malicious link from a web or mobile and the link starts a logging flow with Expo and Facebook like you so in the previous slide now at the last step of the flow Expo will send a secret token to attacker.com that's what that's what the attacker wants so let's see the reality when done clicks on that link there is a confirmation message the clicker doesn't work okay there is a confirmation message now maybe if done clicks on yes then I can

still is talking very fine but I can I can cross down that it will click on yes right maybe done will click on no so what I want to do is to find a way to bypass this confirmation message so let's take a closer Loop it closer look at this confirmation message now when done clicks on that link you got a response from Expo now take a look at the response from Expo there are two interesting parameters two interesting things first of all there is the HTML code this is the confirmation message and if done clicks on yes Expo will redirect him to the next step to Facebook right to continue the flow now pay attention to the set cookie the

set cookie are you is set it to return URL to my malicious domain now it will tell Expo where to send the secret token now can you see the problem here the third cookie is in the HTTP header so no matter what done chooses even if done clicks don't know the audio value will be anyway set because it is in the HTTP header so what we can we do with that we can send two links to done the first link is the regular link to Expo and the second link is a link to Facebook to continue the flow so if done clicks or no I will force him to continue the flow so let's see how it works done clicks on

this link and it got a response from Expo and the only thing that important for me that Expo set the cookie are you in the browser of done to my malicious domain now I don't care if done clicks on yes or no I only care about the audio value now we send down a next link to Facebook then clicks on the link to Facebook redirect done too Expo and Expo will read the value are you from the cookie and we'll send the secret token to my malicious domain so in this way I can steal the token of done now you might ask yourself can I really send two links to them this is an attack

so no it's a problem we can't really ask the victim to click some two links so I created an automatic exploit this exploit does everything automatically and if you want to read and understand exploit you can again visit some security companies so it labs and you find the blog post there with all the information about the exploit so let's summarize we discovered that more than 100 websites have been affected for example one website is called Academy who knows codecademy wow okay really a lot of people nice so Cloud code academy has 100 million accounts and it's used by Google Amazon LinkedIn so we demonstrated the exploit on economy and also on other websites and it works also on Google Apple

Twitter sign in not only Facebook and Expo responded really quickly they released a first fix after a few hours few hours really uh it's really impressive and eventually they decide to deprecate to remove this service they decided to remove it completely uh so it's really cool and we also go to cve with a really critical School so this is about Expo so how many accounts we have thank you [Applause] so how many accounts we have we have 700 Millions accounts now the next Target is actually a method it's not one target it's a several Target so let's see it it's going to be really insane maybe I need to place Hardware on the clicker so I call this attack a zero

click account takeover or access token reuse so just a note the next slides are not related to Expo or booking so if you miss something because they have we we saw a lot of information so if you miss something you can still you can still follow it's a different kind of a vulnerability so now it's the time to back and listen to this insane vulnerability really insane

okay so let's start by reading the documentation and of Facebook so at the documentation Facebook says that when token is received there are two types of response type right code and token now when token is received it needs to be verified you need to verify who the token was generated for that means that it's the responsibility of the developer to verify the access token now the question is what can possibly go wrong and when you give such a responsibility to Developers a lot really a lot so let's see so meet an example vulnerable Target myvideo.net which doesn't verify the access token and what I want to do is to exploit a the the fact that he forgot to use to verify the

access token so let's see how OS Works in my video.net and you already saw this slide this is the same thing like time planner the same thing done authenticate himself to my videos he sends the secret one two three this is the same slide same thing you already saw that now I just want to change the name of the secret instead instead calling it secret one two three let's call it token of done for my video.net I just changed the name that's all now it makes sense because Facebook generated this token for myvideo.net and this token represents done okay just a different name now mid time planner the new time planner now it's a malicious website

developed by an attacker so now timeplanner.com is a malicious website and a lot of people connect to this malicious website Dan Kim John maybe you and the attacker collects a lot of tokens because the attacker is the owner of time planner so can he can obtain those tokens legitimately nothing malicious here the attacker is the owner of time planner and he can see all the tokens all the code you can see everything now the attack scenario works like this the attackers takes the talk takes the token of done and you want to inject the token of done to myvideo.net the attacker wants to connect as done to myvideo.net so that I can send the token of done for

time planner and reminder myvideo.net needs to validate the token that the token was generated for him but it doesn't verify the token and it goes directly to Facebook and ask hey what is the identity of token of done for myplanner.com and Facebook says hey I generated this token for time planner so I guess your time planner right so it's done at gmail.com you can trust him and now that I can connected as done to my video.net now my video.net it's not a real Target it's just for the slide but it works theoretically it works now the question is can I found this type of vulnerability in real website because if I can it's going to be really insane

just make I want to make it clear then only connected to timepener.com that's all and the attacker can connect to his account in another website so the attack scenario works like this in Step One the attacker publishes his app timetable.com and a lot of people connect so the attacker has millions of token and in step two the attacker uses those token to connect to other websites like my video.net and do a massive account takeover so let's see it on real targets so what we want to do is to take the token of done for my planner for timeplanner.com and inject it to other real website now let's see if we can do that now the first Target is video

video.com and you can see this is the same flow flow like you saw with time planner like you saw with my video and the attacker wants to start to log in with Facebook my video says okay tell Facebook that I need a token as a proof and the attacker sends a token from another website token of done for timeplanner.com you can see here the API request I changed the access token to the access token that was generated Through Time planner and it worked and I connected as done really insane because it it too simple and I can take over account on a really big website video has 100 million of monthly active users it's really huge

you can visit them after the director to see them and they also have some kind of a bug Bounty program so they put my name in the website so it's really cool now let's jump to the next Target and the next Target is a big e-commerce website they are still working on a fix so I can't mention their name right now they have 150 million of accounts and this is an e-commerce website so if you do a contact cover you can read Visa cards bank accounts really a lot of things and the same thing like video the same thing like my video.net it worked in a account takeover so this is the second target now let's I just want to make it clear

done only connect one website timecloner.com and I ordered already took over the account of done on two other websites now let's jump to the next Target now this is a really big service I think that all of you here use this service unfortunately I can share the name the answer right now working on a fix but when I will share the name I think it will be will shock to you so this target is not simple like the previous as you can see the response type is code no token so what I need to send them is the code of done from time planner not now it's not a problem because I have the token and I

have the code of done so I try to to send them the Code of done for time planner but it didn't work I got an invalid code I got an arrow the code was taken from another website so I read the documentation of Facebook and Facebook says that when when you use code to exchange it and exchange it for a token Facebook does the validation or Facebook the validation for you so code is really more secure compared to token now I really want to take over accounts on this website I really want so I don't want to give up can you say can you see something stranger can you see what I see what the code okay so the question is why the

world code is in the request do they accept other things maybe I can force them to receive a token maybe there is a hidden flow hidden API so we try to use a token and nope it didn't work so I try to use access token and it didn't work and I tried to use Facebook token and I try a lot of values really and Facebook token it worked

so you can see that I use Facebook token this is a token of done for timeplanner.com with another website and a good connect and is done and there are still they are still working on a fixed it's a really critical vulnerability so if you connect to timeplanner.com I can automatically take over your accounts at dozens of websites now a question for you is when was the last time you connected to a website or app you don't really know because maybe right now some developer or some attacker has your Facebook token and uses it to connect to other websites right now as you see it in here so it's really insane really now I really want to share the names of

those targets I really want but I can't right now but if you're really interested to see the names you can follow us in our blog in our journey to one and half billion accounts maybe it will be two billions accounts and you can scan the ql code take a few seconds to scan it or you can remember Social Security Company sell clubs now I will We Will We Will publish the next post about those Targets in August okay so if you want to scan it or to take a picture now we have the time so that's all I know that this slide has a lot of information it's a several months research that I try to compress into a

one presentation but you can read the blog I think that if you will read the blog post it will answer all your equation but if you have questions you can talk to me I'm here and you can also send me in a letter on catch me on Twitter but I'm here so that's all thank you okay