securing the insecure - Hakim
securing the insecure - Hakim
securing the insecure - Hakim
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Black Hat US 2011 khash kianikhash@thinksec.comOAuth<strong>securing</strong> <strong>the</strong> <strong>insecure</strong>
oadmap‣ OAuth flow‣ <strong>insecure</strong> implementation1. <strong>insecure</strong> storage of secrets2. evil mobile and web OAuth apps3. flawed session management4. password reset‣ summary2
what’s OAuth?3
user-centric schemeuser controls authorizationFMTokenAIGTokenuserTwitterTokenTwitterToken4
actors:resource owner (user)resource consumer (client)resource provider (server)tokens:consumer credentialsrequest tokenaccess token5
authorization flow1. client app au<strong>the</strong>ntication2. get request token: POST oauth/request_token3. au<strong>the</strong>nticate user: GET oauth/authorize4. get access token: POST oauth/access_token6
Insecure Implementation7
<strong>insecure</strong> storage of secrets(consumer credentials)8
OAuth flowstep 1: register client9
1. public class TwitterClient { 2. 3. private static String key = "qSkJuxxxxxxxx76A"; 4. private static String secret = "Bs738xxxxxxxxxxxxxxZe9EhXw"; 10
server-side‣ isolate <strong>the</strong> credentials‣ protect <strong>the</strong> integrity11
native clients‣ native mobile app‣ desktop apps12
“... if twitter uses <strong>the</strong> client secret in installed applications foranything o<strong>the</strong>r than ga<strong>the</strong>ring statistics, well, <strong>the</strong>y shouldreconsider.”“So forget about using <strong>the</strong> consumer credentials for anythingo<strong>the</strong>r than somewhat reliable statistics.”- e. hammer lahav13
how about <strong>the</strong>se use cases:‣ fulfill specific business requirements- server must keep track of all clients‣ prevent phishing attacks14
popular implementations(native apps)1. omit <strong>the</strong> client credentials entirely2. embed in <strong>the</strong> client app itself15
threat(with embedded client credentials)‣ compromised credentials16
open source clients‣ source code‣ resource bundle17
<strong>the</strong> not so secret consumer secrets18
closed source clients‣ binary extraction on android oauth client:‣ astro file mgr to copy <strong>the</strong> client app‣ poke around‣ classes.dex‣ “dexdump classes.dex20
compromised credentialsimpact:‣ key rotation and kill switch‣ not meeting business requirements‣ anonymous publication by competition‣ susceptible to phishing attacks21
suboptimal solutions‣ client secret obfuscation (ProGuard for Android)‣ ProGuard for Android: Don’t put sensitive info in XML resource files!‣ negotiate credentials with your backend server‣ what will stop a rogue client?22
alternative mitigation‣ a deviated approach with automated provisioning23
alternate flow‣ au<strong>the</strong>nticate user to client’s web server‣ call home to get device id‣ store device id locally‣ proceed with oauth flow to get request token‣ validate device id to au<strong>the</strong>nticate client‣ proceed with <strong>the</strong> flow to grant access token24
uilding malicious OAuth clients(native and web apps)26
password <strong>the</strong>ft with Google client(a native iOS mobile app)27
OAuthSampleTouch mobile Google app‣ download‣ compile‣ run‣ edit controller28
modify <strong>the</strong> UIWebViewDelegate’s:webView:shouldStartLoadWithRequest:navigationTypecallback methodto intercept <strong>the</strong>login page priorto sending <strong>the</strong>post request29
OAuth process withan embedded viewuser au<strong>the</strong>nticates andgrants permission30
output <strong>the</strong> Google credentials31
“but it looked so official!”OAuth provides <strong>the</strong> user with a false senseof safety in <strong>the</strong> au<strong>the</strong>ntication workflow32
ecommendations‣ client application developers: keep au<strong>the</strong>nticationoutside <strong>the</strong> app and inside <strong>the</strong> browser‣ users: do not trust clients that do not use a trustedneutral application such as safari to manage server auth‣ protocol designers: stricter policies aroundau<strong>the</strong>nticating clients to server. better browser API support33
fortune telling facebook app(a browser-based web application)a social engineering oauth application to establish user trust34
lure <strong>the</strong> victim to use your appdomain apps.facebook.com is trustworthy!phisheasy!35
https://apps.facebook.com/redevilfortune/accessscope36
70%* source: core impact client-side phishing campaign37
query private user messagesread <strong>the</strong>inboxmessages38
uild <strong>the</strong> trap to aid exploitationlink to executeajax post andcarry our CSRF39
assumptions‣ victim has an active session with his banking site‣ no CSRF protection by banking site!40
“but it looked so official!”OAuth provides <strong>the</strong> user with a false senseof safety in <strong>the</strong> au<strong>the</strong>ntication workflow41
Dear Facebook,what is <strong>the</strong> business need for a webapplication to read my private messages?42
flawed session management43
Avon selects twitterfeed to publish something44
- Avon is redirected to twitter’s authorization endpoint- Avon enters his twitter credentials and grants access45
- Avon is redirected back to complete <strong>the</strong> feed- Avon signs out of twitterfeed and walks away46
isks‣ unattended session‣ no session timeout‣ user remains logged in49
what can go wrong?50
problem, meet solution‣ invalidate server session‣ short-lived access token‣ no auto-processing53
a better approach54
can you really changeyour password?55
change password = old password still works!57
solution‣ ensure compromised credentials cannot be used‣ revoke tokens upon password changes- results from facebook access token leakage to 3 rd party apps59
conclusion- defeating password anti-pattern- implementation, not protocol- private vs. public APIs- open vs. closed source clients- keep callback url intact- trusting native mobile apps- don’t trust <strong>the</strong> logo- don’t trust <strong>the</strong> domain60
take-away:use it when it makes sense!61
please turn in your completed feedbackform at <strong>the</strong> registration deskTHANK YOU!khash@thinksec.com62