Exploiting CSP in WebKit to Break Authentication and Authorization

Presented at Black Hat Europe 2021, Nov. 10, 2021, 3:20 p.m. (40 minutes)

When it comes to modern web applications, browsers are the first line of defense. While built-in security features that come compiled with browsers are responsible for preventing a wide array of attacks, any seemingly trivial mistake in browsers' implementation of such security features can have devastating effects. In this session, we will talk about a vulnerability in Webkit (Safari, and all browsers in iOS devices including Firefox and Chrome) and a security feature in browsers which when abused allowed us to leak certain cross-site information which made almost every application using authentication/authorization technologies such as Single Sign-On and OAuth vulnerable, thus giving us instant access to user accounts. The talk will also include our take and workarounds on the latest browser features like ITP, SameSite Cookies, etc., and uses techniques and approaches to bypass common measures implemented to prevent such vulnerabilities.

We will explain how we were able to exploit hundreds of companies with over billions of users and were able to harvest over $100k in bounties. Even corporations like Google, Facebook, Gitlab, Coinbase and others who are very cautious with security measures were all vulnerable. The exploit, on one hand, demonstrates how sometimes not adhering to a simple-looking specification can turn into a disaster and on the other hand, how simply following the specification might not be enough.

We'll also talk about programs' responses to our reports and a general understanding of such vulnerabilities, fixes, and bypasses we came up with. Finally, we'll conclude with how to address such vulnerabilities using yet another browser feature.


Presenters:

  • Prakash Sharma - Co-Founder, Threatnix
    Prakash Sharma is a Security Engineer at Threat Nix. His area of focus is in application security, where he constantly involves himself in finding unique ways of exploiting vulnerabilities and novel techniques otherwise unknown. He also enjoys finding subtle flaws in browsers' implementation of security features. He has been acknowledged by tech giants like Apple, Google, Facebook, Microsoft, etc. for his contributions in discovering vulnerabilities in their systems and improving their security posture. Aside from security, he is also an amateur photographer and an avid traveler.
  • Sachin Thakuri - Co-Founder, Threatnix
    Sachin Thakuri is an experienced security professional focusing on application and mobile security who has been in this field for 6+years. Featured on various international media for his work, he is currently running his own security company that is based in Nepal.

Links:

Similar Presentations: