Make Redirection Evil Again - URL Parser Issues in OAuth

Presented at Black Hat Asia 2019, March 29, 2019, 3:30 p.m. (30 minutes)

Since 2012, OAuth 2.0 has been widely deployed by online service providers worldwide. Security-related headlines related to OAuth showed up from time to time, and most problems were caused by incorrect implementations of the protocol/service. The User-Agent Redirection mechanism in OAuth is one of the weaker links, as it is difficult for developers and operators to realize, understand, and implement all the subtle but critical requirements properly.

In this talk, we begin by tracing the history of the security community's understanding of OAuth redirection threats. The resultant changes/evolution of the OAuth specification, as well as the best current practice on its implementation/deployment, will also be discussed.

We then introduce new OAuth redirection attack techniques which exploit the interaction of URL parsing problems with redirection handling in mainstream browsers or mobile apps. In particular, some attacks leverage our newly discovered URL interpretation bugs in mainstream browsers or Android platform (The latter were independently discovered and have been patched recently).

Our empirical study on 50 OAuth service providers worldwide found that numerous top-tiered providers with over 10,000 OAuth client apps and 10's of millions of end-users are vulnerable to this new attack with severe impact. In particular, it enables the attacker to hijack 3rd party (Relying party) application / web-based service accounts, gain access to sensitive private information / protected resources, or even perform privileged actions on behalf of the victim users.

Presenters:

• Ronghai Yang - Security Expert, Sangfor Technologies Inc.
  Ronghai Yang is currently a security expert in Sangfor Techonology Inc. He received a PhD degree from the Chinese University of Hong Kong under the supervision of Prof. Wing Lau. His research interest includes protocol verification,  formal methods and general cyber security. His previous work has been presented in USENIX Security 2018 and Black Hat Europe, etc.
• Shangcheng Shi - Ph.D. Student, Department of Information Engineering, The Chinese University of Hong Kong
  Shangcheng Shi is currently a Ph.D. student in the Department of Information Engineering at The Chinese University of Hong Kong. His supervisor is Wing Cheong Lau. His main research interests are mobile security and system security.
• Wing Cheong Lau - Associate Professor, Department of Information Engineering, The Chinese University of Hong Kong
  Wing Cheong Lau is currently an Associate Professor in the Department of Information Engineering and the Director of the Mobile Technologies Center at the Chinese University of Hong Kong (CUHK). Before joining CUHK, he spent 10 years in the US with Bell Labs, Holmdel and Qualcomm, San Diego. Wing received his BSEE degree from the University of Hong Kong and MS and PhD degrees in Electrical and Computer Engineering from the University of Texas at Austin. His research interests include Networking Protocol Design and Performance Analysis, Network/ Systems Security, Mobile Computing and System Modeling. His recent research projects include: Resource Allocation and Management for Data-center-scale Computing, Online Social Network Privacy and Vulnerabilities, Authenticated 2D barcodes and Decentralized Social Networking Protocols/ Systems. He is/has been on the Technical Program Committee for various international conferences including ACM Sigmetrics Mobihoc, IEEE Infocom, SECON, ICC, Globecom, WCNC, VTC, and ITC. He also served as the Guest Editor for the Special Issue on High-Speed Network Security of the IEEE Journal of Selected Areas in Communications (JSAC). Wing holds 19 US patents. Related research findings have culminated in more than 100 scientific papers in major international journals and conferences. Wing is a Senior Member of IEEE and a member of ACM and Tau Beta Pi.
• Xianbo Wang - MPhil Student, The Chinese University of Hong Kong
  Xianbo Wang is currently an MPhil student in the Department of Information Engineering at The Chinese University of Hong Kong. His supervisor is Wing Cheong Lau. His current research interests include web application security and Android security. He enjoys participating in CTFs and Bug Bounty programs.

Links:

• https://www.blackhat.com/asia-19/briefings/schedule/#make-redirection-evil-again---url-parser-issues-in-oauth-13704

Similar Presentations:

• RomHack 2019 / Oh! Auth: Implementation pitfalls of OAuth 2.0 & the Auth Providers who have fell in it
• LocoMocoSec 2019 / How not to use OAuth
• Black Hat USA 2016 / 1000 Ways to Die in Mobile OAuth