How to Leak a 100-Million-Node Social Graph in Just One Week? - A Reflection on Oauth and API Design in Online Social Networks

Presented at Black Hat USA 2014, Aug. 6, 2014, 5:35 p.m. (25 minutes)

Many Online Social Networks (OSN) are using OAuth 2.0 to grant access to API endpoints nowadays. Despite many thorough threat model analyses (e.g. RFC6819), only a few real world attacks have been discovered and demonstrated. To our knowledge, previously discovered loopholes are all based on the misuse of OAuth. It was generally believed that the correct use of OAuth 2.0 (by OSN provider and application developer) is secure enough. We break this belief by demonstrating a massive leakage of user data which roots from the scotoma of OAuth's fundamental design rationale: focus on protecting user, not protecting application.

We show that, even if OSN providers and application developers follow best practice, application impersonation is inevitable on many platforms: According to the OAuth 2.0 standard, they support implicit-authorization-grant flow and bearer-token usage. Although it has become common knowledge for application developers to use authorization-code-grant flow and use access token in a MAC-token style wherever possible, there is no mechanism for them to opt out from the OSN platforms' support of implicit-authorization-grant flow and bearer-token usage. Since different applications may have different privileges like accessing permissions and rate limits, application impersonation in general enables privilege escalation and the consequence depends on platform-specific details.

As a proof-of-concept experiment, application impersonation has been demonstrated on a large-scale Facebook-like (not Facebook) OSN. Based on this technique, one can use a casual crawler to collect its 100-million-user social graph within just one week and the projected cost based on Amazon Web Service is just $150 USD. Due to its implementation specifics, similar techniques can be applied on this OSN to obtain other private data like all users' status lists and albums. Note that, without privilege escalation, this amount of data (order of 10^8) cannot be obtained in such short time with such little cost even on open graphs like Twitter.

Our discovery shows that it is urgent for industrial practitioners to provide the two aforementioned opt-outs in OAuth and review their API design. This work also highlights that application protection must be considered in the design of the next version of OAuth, and similarly other Single-Sign-On protocols.

Presenters:

• Wing Cheong Lau - The Chinese University of Hong Kong
  Wing C. Lau is currently an Associate Professor in the Department of Information Engineering and the Director of the Mobile Technologies Center at the Chinese University of Hong Kong. His research interests include Network/ Systems Security, RFID Systems and Protocol Design, Pervasive Computing, Mobile Social Networks Design, and performance analysis. Wing received a BS degree from The University of Hong Kong and MS and PhD degrees in Electrical and Computer Engineering from The University of Texas at Austin. From 1997 to 2004, he was a Member of the Technical Staff within the Performance Analysis Department at Bell Laboratories in Holmdel, New Jersey, where he conducted research in networking systems design and performance analysis. Wing joined Qualcomm, San Diego, California, in 2004 as a Senior Staff Member conducting research on Mobility Management Protocols for the Next Generation Wireless Packet Data Networks. He also contributed actively to the standardization of such protocols in the Internet Engineering Task Force (IETF) and 3GPP2. Wing is a Senior Member of IEEE and a member of ACM and Tau Beta Pi. He has been a Technical Program Committee Member of various international conferences, including IEEE INFOCOM, WCNC, and VTC. He also served as the Guest Editor for the special issue on High-Speed Network Security of the IEEE Journal of Selected Areas in Communications (JSAC). Wing holds 17 US patents with a few more pending. His research findings have been published in more than 70 scientific papers in leading international journals and conferences. Wing is actively involved in various research projects related to Online Social Network Privacy and Vulnerabilities, Authenticated 2D barcodes, smartphone-based ambient sensing, social-computing, DDoS attacks/defenses,and the Quality-of-Experience evaluation for wireless/networking services.
• Pili Hu - The Chinese University of Hong Kong
  Pili Hu is currently a PhD candidate in the Department of Information Engineering, Chinese University of Hong Kong (CUHK). Before joining CUHK, he obtained a bachelor's degree from the University of Electronic Science and Technology of China (UESTC) and worked in Baidu as a search engine algorithm research/ development engineer. His current research interest is Decentralized Social Networks.

Links:

• https://www.blackhat.com/us-14/archives.html#how-to-leak-a-100-million-node-social-graph-in-just-one-week-a-reflection-on-oauth-and-api-design-in-online-social-networks
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2014/video/How to Leak a 100-Million-Node Social Graph in Just One Week.mp4
• https://www.youtube.com/watch?v=dcMu4oJdkWw
• https://www.blackhat.com/docs/us-14/materials/us-14-Hu-How-To-Leak-A100-Million-Node-Social-Graph-In-Just-One-Week.pdf
• https://www.blackhat.com/docs/us-14/materials/us-14-Hu-How-To-Leak-A100-Million-Node-Social-Graph-In-Just-One-Week-WP.pdf

Similar Presentations:

• Diana Initiative 2020 Virtual / Application Security: OAuth 2.0 and OpenID Connect
• LocoMocoSec 2019 / How not to use OAuth
• Black Hat USA 2016 / 1000 Ways to Die in Mobile OAuth