Presented at
Black Hat Asia 2019,
March 29, 2019, 3:30 p.m.
(30 minutes).
Since 2012, OAuth 2.0 has been widely deployed by online service providers worldwide. Security-related headlines related to OAuth showed up from time to time, and most problems were caused by incorrect implementations of the protocol/service. The User-Agent Redirection mechanism in OAuth is one of the weaker links, as it is difficult for developers and operators to realize, understand, and implement all the subtle but critical requirements properly.
In this talk, we begin by tracing the history of the security community's understanding of OAuth redirection threats. The resultant changes/evolution of the OAuth specification, as well as the best current practice on its implementation/deployment, will also be discussed.
We then introduce new OAuth redirection attack techniques which exploit the interaction of URL parsing problems with redirection handling in mainstream browsers or mobile apps. In particular, some attacks leverage our newly discovered URL interpretation bugs in mainstream browsers or Android platform (The latter were independently discovered and have been patched recently).
Our empirical study on 50 OAuth service providers worldwide found that numerous top-tiered providers with over 10,000 OAuth client apps and 10's of millions of end-users are vulnerable to this new attack with severe impact. In particular, it enables the attacker to hijack 3rd party (Relying party) application / web-based service accounts, gain access to sensitive private information / protected resources, or even perform privileged actions on behalf of the victim users.
Presenters:
-
Xianbo Wang
- MPhil Student, The Chinese University of Hong Kong
Xianbo Wang is currently an MPhil student in the Department of Information Engineering at The Chinese University of Hong Kong. His supervisor is Wing Cheong Lau. His current research interests include web application security and Android security. He enjoys participating in CTFs and Bug Bounty programs.
-
Wing Cheong Lau
- Associate Professor, Department of Information Engineering, The Chinese University of Hong Kong
Wing Cheong Lau is currently an Associate Professor in the Department of Information Engineering and the Director of the Mobile Technologies Center at the Chinese University of Hong Kong (CUHK). Before joining CUHK, he spent 10 years in the US with Bell Labs, Holmdel and Qualcomm, San Diego. Wing received his BSEE degree from the University of Hong Kong and MS and PhD degrees in Electrical and Computer Engineering from the University of Texas at Austin. His research interests include Networking Protocol Design and Performance Analysis, Network/ Systems Security, Mobile Computing and System Modeling. His recent research projects include: Resource Allocation and Management for Data-center-scale Computing, Online Social Network Privacy and Vulnerabilities, Authenticated 2D barcodes and Decentralized Social Networking Protocols/ Systems. He is/has been on the Technical Program Committee for various international conferences including ACM Sigmetrics Mobihoc, IEEE Infocom, SECON, ICC, Globecom, WCNC, VTC, and ITC. He also served as the Guest Editor for the Special Issue on High-Speed Network Security of the IEEE Journal of Selected Areas in Communications (JSAC). Wing holds 19 US patents. Related research findings have culminated in more than 100 scientific papers in major international journals and conferences. Wing is a Senior Member of IEEE and a member of ACM and Tau Beta Pi.
-
Shangcheng Shi
- Ph.D. Student, Department of Information Engineering, The Chinese University of Hong Kong
Shangcheng Shi is currently a Ph.D. student in the Department of Information Engineering at The Chinese University of Hong Kong. His supervisor is Wing Cheong Lau. His main research interests are mobile security and system security.
-
Ronghai Yang
- Security Expert, Sangfor Technologies Inc.
Ronghai Yang is currently a security expert in Sangfor Techonology Inc. He received a PhD degree from the Chinese University of Hong Kong under the supervision of Prof. Wing Lau. His research interest includes protocol verification, formal methods and general cyber security. His previous work has been presented in USENIX Security 2018 and Black Hat Europe, etc.
Links:
Similar Presentations: