OAuth 2.0 allows apps to verify credentials with Facebook or Google logins. One problem: over 41% of apps using OAuth 2.0 aren't actually validating user info, allowing account hijacks.
Single sign on (SSO) services are definitely convenient: Think of all the apps on your mobile device that let you log in using your Google or Facebook accounts. Chances are there's quite a few—over 600 top ranked apps on Google Play use the OAuth 2.0 protocol.
It's definitely convenient to skip account creation or signing in for every single app you install, but it's not without risks. In this case the risk is serious: 41.2% of the aforementioned 600 apps are putting users at risk to have their Facebook or Google accounts hijacked.
That's around 250 top apps, accounting for over one billion downloads on Android alone. Chances are good there's at least one on your device, and the flaw is platform agnostic.
The cause of the vulnerability
OAuth 2.0 works basically like this: A user inputs their SSO account details, and the app checks with Google or Facebook to see if that information is correct. Once the identity provider verifies the user gave correct info it sends back a login token, which the app then uses to sign the user in.
SEE: Android Security Bulletin October 2016: What you need to know (TechRepublic)
Over half of the apps are verifying the validity of the signature the Google or Facebook server sends back, but that 41% mentioned above isn't. When that's the case there's no way for the app to know if a username and password combination are legitimate.
The discovery of this serious and widespread flaw is thanks to the work of three researchers at The Chinese University of Hong Kong: Ronghai Yang, Wing Cheong Lau, and Tianyu Liu. The research team set up a server to spoof logins by doing the following:
- A compromised app was installed on an Android device.
- An attacker signs into the app using their own legitimate Google or Facebook login.
- Using an ssl-enabled-MITM proxy the attacker substitutes their user ID with the victims after receiving authentication for their own login.
- The MITM proxy server forwards the modified login token to the app, and the attacker gains full access to the victim's profile.
What's at risk
The potential fallout from this exploit is huge. Many of the affected apps store user profile data in the cloud, and when a newly installed app is logged into, all the user's data is open for the taking.
The paper, which you can read at Forbes, doesn't mention any affected apps, so we're left to speculate as to what could happen. Attackers could perform in-app purchases, book hotels, buy products—essentially any app you have installed that uses SSO could potentially be used against you.
SEE: 10 do's and don'ts for securing your Android device (TechRepublic)
The paper's authors did reveal one bright spot: They've notified Google, Facebook, and other identity providers of the exploit, and they're working to take action with third-party developers to plug the holes.
With nearly 250 known affected apps that could take some time—perhaps it's a good idea to consider not using SSO for a while.
The research team are presenting their findings today at Black Hat Europe.
The 3 big takeaways for TechRepublic readers
- Single sign on protocol OAuth 2.0, common on Android and iOS, has a flaw which allows attackers to hijack user accounts.
- The problem affects over 41 percent of mobile apps using OAuth 2.0.
- The exploit is caused by third-party apps not verifying the ID data being sent back from Google, Facebook, and other SSO ID providers. This allows attackers to substitute legitimate logins with other usernames and gain access to those accounts.
- Android nears 88% global market share, but Apple still makes more money (TechRepublic)
- Microsoft: 'Apple can no more secure your iPhone than Google can secure Android' (ZDNet)
- Why the Google Pixel phone won't steal the enterprise crown from the iPhone anytime soon (TechRepublic)
- Google: 'Web has never been more secure', as HTTPS dominates Chrome browsing (ZDNet)
- Hacking Your Phone (CBS News)