Presented at Black Hat Europe 2016
Nov. 4, 2016, noon
<div>OAuth2.0 protocol has been widely adopted by mainstream Identity Providers (IdPs) to support Single-Sign-On services. Since this protocol was originally designed to serve the authorization need for 3rd party websites, different vulnerabilities have been uncovered when adapting OAuth to support mobile app authentication. To the best of our knowledge, all the attacks discovered so far, including BlackHat USA'16 , CCS'14  and ACSAC'15 , etc, require the interactions with the victim, for example via malicious apps or network eavesdropping, etc. On the contrary, we have discovered a new type of widespread but incorrect usages of OAuth, which can be exploited remotely by an attacker to sign into a victim's mobile app account without any involvement/ awareness of the victim. The root cause of this vulnerability is a common, but misplaced trust in the authenticating information received by the 3rd party app's backend server from its own client-side mobile app, which in turn, relies on potentially tampered information obtained from the client-side mobile app of the IdP. </div><div><br class=""></div><div>To confirm the widespread nature of the vulnerability, we have developed an exploit for this new vulnerability among three top-tier IdPs which support SSO services for many 3rd party mobile apps and serve billions of registered users worldwide. Our empirical findings are alarming: on average, 46.26% of the mobile apps under test are found to be vulnerable to the new attack. Our incomplete list of vulnerable applications include top-ranked mobile apps for travel planning, hotel-reservation, personal-finance-management, private-chatting, dating-service, online-shopping, video/music streaming etc. The total number of downloads for our incomplete list of popular but vulnerable apps already exceeds 2.4 billion. As such, a massive amount of extremely sensitive personal information is wide-open for grab as a result of this vulnerability. For some of the vulnerable apps, the online-currency/ service credits associated with the victim's mobile app account are also at the disposal of the attacker. Although our current attack is demonstrated over the Android platform, the exploit itself is platform-agnostic: any iOS or Android user of the vulnerable mobile app is affected as long as he/ she has used the OAuth2.0-based SSO service with the app before. It is therefore urgent for the various affected parties involved to take immediate preventive and remedial actions when implementing OAuth2.0-based SSO services for mobile applications.<br></div>
Wing Cheong Lau
- Associate Professor, Department of Information Engineering, The Chinese University of Hong Kong
Wing C. Lau is currently an Associate Professor in the Department of Information Engineering and the Director of the Mobile Technologies Center at The Chinese University of Hong Kong. He received his BSc(Eng) degree from The University of Hong Kong and MS and PhD degrees in Electrical and Computer Engineering from The University of Texas at Austin. From 1997 to 2004, he was a Member of the Technical Staff within the Performance Analysis Department at Bell Laboratories in Holmdel, New Jersey, where he conducted research in networking systems design and performance analysis. Wing joined Qualcomm, San Diego, California, in 2004 as a Senior Staff Member conducting research on Mobility Management Protocols for the Next Generation Wireless Packet Data Networks. He also actively contributed to the standardization of such protocols in the Internet Engineering Task Force (IETF) and 3GPP2. Wing is a Senior Member of IEEE and a member of ACM and Tau Beta Pi. He is/has been a Technical Program Committee Member of various flagship international conferences, including ACM Sigmetrics, MobiHoc, IEEE Infocom, SECON, ICC, Globecom, WCNC, VTC and ITC. Wing holds 17 US patents with a few more pending. His research findings have culminated in more than 90 scientific papers in leading international journals and conferences. Wing's recent research interests include Online Social Network Privacy and Vulnerabilities, Mobile Security, Resource Allocation for Cloud Computing and Big Data Processing Systems, Decentralized Social Networks, Authenticated 2D barcodes and their Applications. Wing served as the Guest Editor for the Special Issue on High-Speed Network Security of the IEEE Journal of Selected Areas in Communications (JSAC). He and his students' previous work on OAuth2.0 insecurity has been presented in BlackHat USA 2014, ACM Conference on Online Social Networks (COSN) 2014, 2015 as well as ACM AsiaCCS 2016. He was an invited speaker for Cloud Security research in the Asia Pacific Innovation Summit in Dec 2014. Wing also co-invented of the Authenticated Papers technology which won the Grand Award of the Research and Development category of Asia Pacific ICT Awards (APICTA) in Nov. 2013.
- PhD Candidate, Department of Information Engineering, The Chinese University of Hong Kong
Ronghai Yang is currently a PhD candidate in the Department of Information Engineering at The Chinese University of Hong Kong. His supervisor is Wing Cheong Lau. He received the bachelor degree from the University of Science Technology of China (USTC) in 2013. His research interest includes protocol verification, applied cryptography and cyber security. His previous work on OAuth2.0 insecurity has been presented in ACM Conference on Online Social Networks (COSN) 2014 as well as ACM AsiaCCS 2016.