Hacking

One oAuth 2.0 hack, 1 Billion Android App Accounts potentially exposed

Security researchers demonstrated that a Wrong oAuth 2.0 implementation allows a remote simple hack that exposes more than 1 Billion Android App Accounts.

A remote simple hack devised by a group of security researchers threatens an amazing number of Android and iOS apps. An attacker can use the technique to sign into any victim’s mobile app account without any knowledge of the legitimate user.

The research team from the Chinese University of Hong Kong is composed of Ronghai Yang, Wing Cheong Lau, and Tianyu Liu. The experts discovered that the vast majority of popular mobile apps that use the single sign-on (SSO) service doesn’t properly implement the OAuth 2.0 protocol.

The OAuth 2.0 authentication protocol is widely used on social networking sites, every day billion of users access their profiles on Facebook and Google+ using it.

Using the OAuth 2.0, users can sign in for third-party services by verifying existing identity through their accounts on popular web services such as Google, Facebook, or Sina.

Once authenticated, the users haven’t to provide their credentials to access other services implementing the OAuth 2.0 protocol.

This process enables users to sign-in to any service without providing additional usernames or passwords. This magic is possible because when a user logs into a third party app via OAuth, the app checks with the ID provider (i.e. Facebook, Google).
The ID providers, in turn, provide the Access Token to the server of that mobile app that uses it to request the user’s authentication information from the ID provider (i.e. Facebook). In this way, it is able to check user’s identity with data provided by the ID provider and authorize the login.
Below an image from the slides presented by the Team at the Black Hat Europe.

The Chinese researchers discovered that a large number of Android apps did not properly check the validity of the information passed by the ID provider.
The experts explained that the server app instead of verifying the OAuth information included in the Access Token to authenticate the user, the app server would only check if the information is passed by a legitimate ID provider.
This implementation opens the doors to the attackers that can install the flawed app on their mobile devices, log in to their own account and then simply by changing their username to the victim’s one by setting up a server to modify the data sent from Facebook, Google or other ID providers.
With this technique, the attacker can access data used by the flawed app potentially exposing sensitive information or use the app acting on behalf of the victims.

“The problem is a pretty basic mistake,” Lau told Forbes.

“The impact, he said, could be severe. For instance, if the hacker broke into a travel app, they could learn the full itinerary of an individual. For a hotel booking app, they could book a room and have the victim pay for it. Or they could simply steal personal data, like addresses or bank details.” wrote Thomas Fox-Brewster from Forbes.

“A lot of third party developers are ma and pa shops, they don’t have the capability. Most of the time they’re using Google and Facebook recommendations, but if they don’t do it correctly, their apps will be wide open.” . 

The experts have found hundreds of popular US and Chinese Android apps that support SSO service. The number of  downloads is huge, the researchers explained that a total of over 2.4 Billion downloads are vulnerable to this attack.

The experts estimated that over a Billion different mobile app accounts are at risk of being hijacked with their attack.

The researchers did not perform any test on iOS devices, but they believed that the attack would work also on Apple apps

“Although our current attack is demonstrated over the Android platform, the exploit itself is platform-agnostic: any iOS or Android user of the vulnerable mobile app is affected as long as he/ she has used the OAuth2.0-based SSO service with the app before,” the researchers said. 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – oAuth 2.0, mobile hacking)

 

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

41 mins ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

15 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

21 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.