OAuth is so insecure

Posted on 3/4/2015 @ 12:46 PM in #Vanilla .NET by | Feedback | 2096 views

Let me preface this by saying, the protocol or standard is not insecure. It is the implementations and the sheer lack of understanding that practically makes it so unbelievably insecure.

Lets face it, most computer users, or not savvy enough to understand the complexity of what happens behind the scenes. If your mom knows the importance of the lifetime of a refresh token, pat yourself on the back, you don’t need to read further. Or maybe you still do.

I recently did a tweetshame of disqus, wordpress, and livefyre. The problem is, EVERYONE, is too damn lax on what security. Here are links to my tweets

https://twitter.com/sahilmalik/status/573164008494272513

https://twitter.com/sahilmalik/status/573163535792017408

https://twitter.com/sahilmalik/status/573162609610002432

.. I hope these leading social players care to respond or better even fix their issues, but I am not holding my breath. In a world where there are entire business models built on the gullibility of end users, who will give up their last shred privacy for the convenience of turning on a light bulb with a tweet (ifttt I am looking at you), .. I don’t really expect things to change in a hurry.
But it is a BIG problem.

So here is the scenario, you see an article on a random news website about some hot topic, say Israel or Obama and are tempted to respond.
They offer you the easy/convenient choice of logging on via your one of many social identities.

Very convenient – you click “Okay” to everything they ask for. I don’t, but many do – as witnessed by the so many people sharing their responses on these websites.
I don’t and it pisses me off because there are conversations I want to participate in, but I don’t for this very reason.

These same people, who clicked okay on those sites, gladly share their real birthdates, addresses, even phone numbers, on social media. Because these same people are gullible, trusting, and do not understand that on the internet, North Korea and Scandinavia are neighbors. They are neighbors in the real world too really, except there is Russia in the middle. But as you read this blogpost, kim jong un might be on your computer. The internet is a big city where everyone is a neighbor of everyone else. And there are far too many bad players out there.

Here is a basic question – WHY does wordpress need the rights to update my twitter profile and to post tweets on my behalf just so I can leave a comment? Shouldn’t it be enough to just know who I am? And even though I am shaming wordpress, almost everyone is equally to blame.
As an example, To know what specific rights you have given to various apps on your various accounts, use the following links. Do leave a comment if you see something hair raising as “Allow app to see all your files in OneDrive” etc.

  1. Live ID, go here - https://account.live.com/consent/Manage?mkt=en-US 
  2. Facebook, https://www.facebook.com/settings?tab=applications
  3. Twitter, https://twitter.com/settings/applications
  4. Google, https://security.google.com/settings/security/permissions
  5. Yahoo, go to account.yahoo.com sign in, and look for “Manage apps and website connections”.

Then, to make matters worse, you have native apps on our phones, making use of OAuth all over the place. The largest most respected companies are guilty of making horrible security choices that you would never agree to if you really understood what you are opening yourself up to.

Here are some examples -

  1. The linked in Office 365 App is a man in the middle attack reading ALL Your email. Linkedin tried to launch it a few years ago as the “intro” app for iOS devices – when security researches cried foul, they backed off. Only to launch it as an Office 365 APP later. Don’t forget, end users can install these apps and grant access without admin’s “Okay”. Sure an admin can find out later by running a report – if he runs a report. But there is no way to prevent a specific app to not be installed on your tenancy (atleast not as of now). Here is my tweet about that - https://twitter.com/sahilmalik/status/562206533166301185
  2. The new accompli app, now rebranded as Microsoft outlook on iOS  - has many experts crying foul too (link)
  3. The skype for iOS or Android App uses embedded webviews which rely on callback URLs to invoke the calling application when done with authentication. iOS does not let you reserve app URLs like Windows Phone does, and Android is a free for all anyway. It is so easy for someone to steal the provided refresh token – yet the app is widely used and no one seems to care. To be fair, its not very hackable on Windows, to hack it on iOS you need possession of the physical device, but on Android it is quite wide open.
  4. Many more such examples ..

Why is this such a big deal? Lets say, I want to hack person “X” who maintains a blog,

Step #1 – Do an NSlookup on his website, find registration information, and know their mailing address.
Step #2 – friend them on facebook, follow them on twitter, understand their patterns, what they do, where they go, family, friends, etc.
Step #3 – Be like linked in, and gain full access to their inbox. Search for “SSN”  - seriously, search your gmail for the last 4 of your SSN, it’s very easy.
Step #4 – know who their banking institution (or any other account you wish to hack into) is.
Step #5 – Call their institution, and say “Oh I forgot my pin” _ they will then ask you to prove your identity by asking some basic questions .. and you can easily social engineer those answers using the techniques above.

My point is,

  1. Corps today are completely not concerned about your security and your information, they are making horrible mistakes when it comes to keeping your information secure. Some on purpose, some out of sheer indifference.
  2. Be very careful about what you put out on social networks – especially private information. This includes your address, your phone, your birthdate, any personally identifiable information.
  3. Enable 2factor auth – everywhere. But remember, the moment you click “okay” to an OAuth prompt – you effectively gave a valet key with the specific rights to get around the 2fa you so painstakingly setup. Unfortunately everyone is asking for too many rights on that valet key, unfortunately people are handing this key over without considering the repercussions.

It is very difficult to be secure these days. VERY VERY difficult. But at least don’t be so callous about it!?
Be safe!

Sound off but keep it civil:

Older comments..