One oAuth 2.0 hack, 1 Billion Android App Accounts potentially exposed

Pierluigi Paganini November 05, 2016

Security researchers demonstrated that a Wrong oAuth 2.0 implementation allows a remote simple hack that exposes more than 1 Billion Android App Accounts.

A remote simple hack devised by a group of security researchers threatens an amazing number of Android and iOS apps. An attacker can use the technique to sign into any victim’s mobile app account without any knowledge of the legitimate user.

The research team from the Chinese University of Hong Kong is composed of Ronghai Yang, Wing Cheong Lau, and Tianyu Liu. The experts discovered that the vast majority of popular mobile apps that use the single sign-on (SSO) service doesn’t properly implement the OAuth 2.0 protocol.

The OAuth 2.0 authentication protocol is widely used on social networking sites, every day billion of users access their profiles on Facebook and Google+ using it.

Using the OAuth 2.0, users can sign in for third-party services by verifying existing identity through their accounts on popular web services such as Google, Facebook, or Sina.

Once authenticated, the users haven’t to provide their credentials to access other services implementing the OAuth 2.0 protocol.

This process enables users to sign-in to any service without providing additional usernames or passwords. This magic is possible because when a user logs into a third party app via OAuth, the app checks with the ID provider (i.e. Facebook, Google).
The ID providers, in turn, provide the Access Token to the server of that mobile app that uses it to request the user’s authentication information from the ID provider (i.e. Facebook). In this way, it is able to check user’s identity with data provided by the ID provider and authorize the login.
Below an image from the slides presented by the Team at the Black Hat Europe.

oAuth 2.0 process

The Chinese researchers discovered that a large number of Android apps did not properly check the validity of the information passed by the ID provider.
The experts explained that the server app instead of verifying the OAuth information included in the Access Token to authenticate the user, the app server would only check if the information is passed by a legitimate ID provider.
This implementation opens the doors to the attackers that can install the flawed app on their mobile devices, log in to their own account and then simply by changing their username to the victim’s one by setting up a server to modify the data sent from Facebook, Google or other ID providers.
oAuth 2.0 attack
With this technique, the attacker can access data used by the flawed app potentially exposing sensitive information or use the app acting on behalf of the victims.

“The problem is a pretty basic mistake,” Lau told Forbes.

“The impact, he said, could be severe. For instance, if the hacker broke into a travel app, they could learn the full itinerary of an individual. For a hotel booking app, they could book a room and have the victim pay for it. Or they could simply steal personal data, like addresses or bank details.” wrote Thomas Fox-Brewster from Forbes.

“A lot of third party developers are ma and pa shops, they don’t have the capability. Most of the time they’re using Google and Facebook recommendations, but if they don’t do it correctly, their apps will be wide open.” . 

The experts have found hundreds of popular US and Chinese Android apps that support SSO service. The number of  downloads is huge, the researchers explained that a total of over 2.4 Billion downloads are vulnerable to this attack.

The experts estimated that over a Billion different mobile app accounts are at risk of being hijacked with their attack.

oAuth 2.0 attack-3

The researchers did not perform any test on iOS devices, but they believed that the attack would work also on Apple apps

“Although our current attack is demonstrated over the Android platform, the exploit itself is platform-agnostic: any iOS or Android user of the vulnerable mobile app is affected as long as he/ she has used the OAuth2.0-based SSO service with the app before,” the researchers said. 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – oAuth 2.0, mobile hacking)


you might also like

leave a comment