Make Redirection Evil Again - URL Parser Issues in OAuth presented at BlackHatAsia2019 2019

by Wing Cheong Lau, Ronghai Yang, Xianbo Wang, Shangcheng Shi,

Summary : Since 2012, OAuth 2.0 has been widely deployed by online service providers worldwide. Security-related headlines related to OAuth showed up from time to time, and most problems were caused by incorrect implementations of the protocol/service. The User-Agent Redirection mechanism in OAuth is one of the weaker links, as it is difficult for developers and operators to realize, understand, and implement all the subtle but critical requirements properly. In this talk, we begin by tracing the history of the security community's understanding of OAuth redirection threats. The resultant changes/evolution of the OAuth specification, as well as the best current practice on its implementation/deployment, will also be discussed. We then introduce new OAuth redirection attack techniques which exploit the interaction of URL parsing problems with redirection handling in mainstream browsers or mobile apps. In particular, some attacks leverage our newly discovered URL interpretation bugs in mainstream browsers or Android platform (The latter were independently discovered and have been patched recently). Our empirical study on 50 OAuth service providers worldwide found that numerous top-tiered providers with over 10,000 OAuth client apps and 10's of millions of end-users are vulnerable to this new attack with severe impact. In particular, it enables the attacker to hijack 3rd party (Relying party) application / web-based service accounts, gain access to sensitive private information / protected resources, or even perform privileged actions on behalf of the victim users.