2022: Found ways to capture an account with OAuth tokens
The security researcher has discovered that you can capture an account with one click mice using the open authentications OAuth process. This became known on July 12, 2022.
The key feature of OAuth application is that if the user has one protected account, then using OAuth technology you can authenticate on other services, while the user does not need to enter his login and password.
Security adviser at Detectify Frans Rosen described the scenarios as "dirty dancing." An attacker can abuse OAuth authentication processes and communication between the browser and the service provider. A cybercriminal can combine response type switching, invalid states, and URI programming objects to steal an authorization code or token.
To steal a token, a cybercriminal must first break the chain between the system that issues the tokens and the service provider that uses them. To do this, you need to change the status value through a specially created link sent to the victim as a phishing login page.
After logging in, the victim will be redirected obratno to the website, while the token's "dance" is interrupted, since there is no valid state for the user. The victim will then be shown an error message and the attacker will be able to pass the data and URL from the error page.
 | Now the cybercriminal can log on with his own condition and code received from the victim. |  |
| | If you use OAuth correctly, you must also provide a redirect uri to the service provider for verification when you receive a token from the service. If the redirect uri used in the "dance" doesn't match the value the website sends to the provider, the access token won't be issued, Rosen explained. | |
Also, a cybercriminal can perform an XSS attack on a third-party domain that receives URL data during authentication and use APIs to obtain a URL.
To reduce the risk of an attack, the researcher recommends that you review the OAuth 2.0 security guide. Make sure that the OAuth authorization response pages do not contain any third-party resources or links. The user should only allow restricted types and modes of OAuth responses[1]
Notes
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |