by Wing Cheong Lau, Ronghai Yang,

Summary : OAuth2.0 protocol has been widely adopted by mainstream Identity Providers (IdPs) to support Single-Sign-On services. Since this protocol was originally designed to serve the authorization need for 3rd party websites, different vulnerabilities have been uncovered when adapting OAuth to support mobile app authentication. To the best of our knowledge, all the attacks discovered so far, including BlackHat USA'16 [3], CCS'14 [2] and ACSAC'15 [7], etc, require the interactions with the victim, for example via malicious apps or network eavesdropping, etc. On the contrary, we have discovered a new type of widespread but incorrect usages of OAuth, which can be exploited remotely by an attacker to sign into a victim's mobile app account without any involvement/ awareness of the victim. The root cause of this vulnerability is a common, but misplaced trust in the authenticating information received by the 3rd party app's backend server from its own client-side mobile app, which in turn, relies on potentially tampered information obtained from the client-side mobile app of the IdP.
To confirm the widespread nature of the vulnerability, we have developed an exploit for this new vulnerability among three top-tier IdPs which support SSO services for many 3rd party mobile apps and serve billions of registered users worldwide. Our empirical findings are alarming: on average, 46.26% of the mobile apps under test are found to be vulnerable to the new attack. Our incomplete list of vulnerable applications include top-ranked mobile apps for travel planning, hotel-reservation, personal-finance-management, private-chatting, dating-service, online-shopping, video/music streaming etc. The total number of downloads for our incomplete list of popular but vulnerable apps already exceeds 2.4 billion. As such, a massive amount of extremely sensitive personal information is wide-open for grab as a result of this vulnerability. For some of the vulnerable apps, the online-currency/ service credits associated with the victim's mobile app account are also at the disposal of the attacker. Although our current attack is demonstrated over the Android platform, the exploit itself is platform-agnostic: any iOS or Android user of the vulnerable mobile app is affected as long as he/ she has used the OAuth2.0-based SSO service with the app before. It is therefore urgent for the various affected parties involved to take immediate preventive and remedial actions when implementing OAuth2.0-based SSO services for mobile applications.